[PATCH] disable nfsd (NFSv4) nobody/nogroup check
Rick Macklem
rmacklem at uoguelph.ca
Tue Oct 14 12:01:53 UTC 2014
Marcelo Araujo wrote:
> Hello Blot,
>
> The patch looks reasonable.
> As per the email thread, seems a good approach to overcome this
> issue, at
> least for now.
>
> If Rick has no objection and no free time, I can commit the patch
> during
> this week.
>
> Best Regards,
>
> 2014-10-14 18:34 GMT+08:00 Loïc Blot <loic.blot at unix-experience.fr>:
>
> > Hi,
> > since a recent problem (see thread NFSv4 nobody issue), i think we
> > need a
> > sysctl variable to disable nobody and nogroup check into the kernel
> > (default enabled)
> > This variable is useful in some situations, like TFTP over NFS,
> > jails
> > over NFS (some files like /var/db/locate.database need nobody
> > user).
> >
> > I added vfs.nfsd.disable_nobodycheck and
> > vfs.nfsd.disable_nogroupcheck to
> > modify NFSv4 nobody/nogroup check.
> >
> > Thanks to Rick to tell me where the problem was.
> >
> > Can you review the patch, and add it to kernel to avoid previous
> > mentionned issue.
> >
> > Here is my patch:
> >
> > --- sys/fs/nfsserver/nfs_nfsdsubs.c.orig 2014-10-14
> > 12:03:50.163311506
> > +0200
> > +++ sys/fs/nfsserver/nfs_nfsdsubs.c 2014-10-14
> > 12:06:29.793304755 +0200
> > @@ -62,9 +62,18 @@
> > SYSCTL_DECL(_vfs_nfsd);
> >
> > static int disable_checkutf8 = 0;
> > +static int disable_nobodycheck = 0;
> > +static int disable_nogroupcheck = 0;
> > SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_checkutf8, CTLFLAG_RW,
> > &disable_checkutf8, 0,
> > "Disable the NFSv4 check for a UTF8 compliant name");
> > +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nobodycheck, CTLFLAG_RW,
> > + &disable_nobodycheck, 0,
> > + "Disable the NFSv4 check when setting user nobody as owner");
> > +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nogroupcheck, CTLFLAG_RW,
> > + &disable_nogroupcheck, 0,
> > + "Disable the NFSv4 check when setting group nogroup as
> > owner");
> > +
> >
Patch looks fine to me.
Marcelo, you can commit this if you'd like. Otherwise I'll do it.
Sorry it took a while for me to remember this was disabled. (My only
excuse is I wrote it about 10years ago;-)
rick
> > static char nfsrv_hexdigit(char, int *);
> >
> > @@ -1543,8 +1552,8 @@
> > */
> > if (NFSVNO_NOTSETUID(nvap) && NFSVNO_NOTSETGID(nvap))
> > goto out;
> > - if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid ==
> > nfsrv_defaultuid)
> > - || (NFSVNO_ISSETGID(nvap) && nvap->na_gid ==
> > nfsrv_defaultgid)) {
> > + if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid ==
> > nfsrv_defaultuid &&
> > disable_nobodycheck == 0)
> > + || (NFSVNO_ISSETGID(nvap) && nvap->na_gid ==
> > nfsrv_defaultgid &&
> > disable_nogroupcheck == 0)) {
> > error = NFSERR_BADOWNER;
> > goto out;
> > }
> > Regards,
> >
> > Loïc Blot,
> > UNIX Systems, Network and Security Engineer
> > http://www.unix-experience.fr
> > _______________________________________________
> > freebsd-fs at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-fs
> > To unsubscribe, send any mail to
> > "freebsd-fs-unsubscribe at freebsd.org"
>
>
>
>
> --
>
> --
> Marcelo Araujo (__)araujo at FreeBSD.org
> \\\'',)http://www.FreeBSD.org <http://www.freebsd.org/> \/ \ ^
> Power To Server. .\. /_)
> _______________________________________________
> freebsd-fs at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-fs
> To unsubscribe, send any mail to "freebsd-fs-unsubscribe at freebsd.org"
More information about the freebsd-fs
mailing list