[PATCH] disable nfsd (NFSv4) nobody/nogroup check

Marcelo Araujo araujobsdport at gmail.com
Tue Oct 14 12:12:13 UTC 2014 

Hello All,

Before I commit it, I will double check what is the best way.
Thanks Ronald to point it out.

Best Regards,

2014-10-14 20:09 GMT+08:00 Rick Macklem <rmacklem at uoguelph.ca>:

> Ronald Klop wrote:
> > I thought it is advised to make settings positively defined. So not
> > use
> > 'disable = 1', but 'enable = 0'.
> >
> For the case of disable_utf8, I made it negative, since disabling the
> check violates RFC-3530. For these checks, there isn't anything in the
> RFC requiring the check AFAIK, so I personally don't care which way they
> are done. (If the default is disabling the check that could be a minor POLA
> violation.)
>
> So, you guys choose whichever you prefer to commit, rick
>
> > Ronald.
> >
> >
> > On Tue, 14 Oct 2014 12:46:25 +0200, Marcelo Araujo
> > <araujobsdport at gmail.com> wrote:
> >
> > > Hello Blot,
> > >
> > > The patch looks reasonable.
> > > As per the email thread, seems a good approach to overcome this
> > > issue, at
> > > least for now.
> > >
> > > If Rick has no objection and no free time, I can commit the patch
> > > during
> > > this week.
> > >
> > > Best Regards,
> > >
> > > 2014-10-14 18:34 GMT+08:00 Loïc Blot
> > > <loic.blot at unix-experience.fr>:
> > >
> > >> Hi,
> > >>  since a recent problem (see thread NFSv4 nobody issue), i think
> > >>  we
> > >> need a
> > >> sysctl variable to disable nobody and nogroup check into the
> > >> kernel
> > >> (default enabled)
> > >>  This variable is useful in some situations, like TFTP over NFS,
> > >>  jails
> > >> over NFS (some files like /var/db/locate.database need nobody
> > >> user).
> > >>
> > >>  I added vfs.nfsd.disable_nobodycheck and
> > >>  vfs.nfsd.disable_nogroupcheck
> > >> to
> > >> modify NFSv4 nobody/nogroup check.
> > >>
> > >>  Thanks to Rick to tell me where the problem was.
> > >>
> > >>  Can you review the patch, and add it to kernel to avoid previous
> > >> mentionned issue.
> > >>
> > >>  Here is my patch:
> > >>
> > >>  --- sys/fs/nfsserver/nfs_nfsdsubs.c.orig    2014-10-14
> > >> 12:03:50.163311506
> > >> +0200
> > >>  +++ sys/fs/nfsserver/nfs_nfsdsubs.c    2014-10-14
> > >>  12:06:29.793304755
> > >> +0200
> > >>  @@ -62,9 +62,18 @@
> > >>   SYSCTL_DECL(_vfs_nfsd);
> > >>
> > >>   static int    disable_checkutf8 = 0;
> > >>  +static int    disable_nobodycheck = 0;
> > >>  +static int    disable_nogroupcheck = 0;
> > >>   SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_checkutf8, CTLFLAG_RW,
> > >>       &disable_checkutf8, 0,
> > >>       "Disable the NFSv4 check for a UTF8 compliant name");
> > >>  +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nobodycheck, CTLFLAG_RW,
> > >>  +    &disable_nobodycheck, 0,
> > >>  +    "Disable the NFSv4 check when setting user nobody as
> > >>  owner");
> > >>  +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nogroupcheck,
> > >>  CTLFLAG_RW,
> > >>  +    &disable_nogroupcheck, 0,
> > >>  +    "Disable the NFSv4 check when setting group nogroup as
> > >>  owner");
> > >>  +
> > >>
> > >>   static char nfsrv_hexdigit(char, int *);
> > >>
> > >>  @@ -1543,8 +1552,8 @@
> > >>        */
> > >>       if (NFSVNO_NOTSETUID(nvap) && NFSVNO_NOTSETGID(nvap))
> > >>           goto out;
> > >>  -    if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid ==
> > >>  nfsrv_defaultuid)
> > >>  -        || (NFSVNO_ISSETGID(nvap) && nvap->na_gid ==
> > >> nfsrv_defaultgid)) {
> > >>  +    if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid ==
> > >>  nfsrv_defaultuid &&
> > >> disable_nobodycheck == 0)
> > >>  +        || (NFSVNO_ISSETGID(nvap) && nvap->na_gid ==
> > >>  nfsrv_defaultgid
> > >> &&
> > >> disable_nogroupcheck == 0)) {
> > >>           error = NFSERR_BADOWNER;
> > >>           goto out;
> > >>       }
> > >>  Regards,
> > >>
> > >>  Loïc Blot,
> > >>  UNIX Systems, Network and Security Engineer
> > >>  http://www.unix-experience.fr
> > >> _______________________________________________
> > >> freebsd-fs at freebsd.org mailing list
> > >> http://lists.freebsd.org/mailman/listinfo/freebsd-fs
> > >> To unsubscribe, send any mail to
> > >> "freebsd-fs-unsubscribe at freebsd.org"
> > >
> > >
> > >
> > _______________________________________________
> > freebsd-fs at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-fs
> > To unsubscribe, send any mail to "freebsd-fs-unsubscribe at freebsd.org"
> >
>



-- 

-- 
Marcelo Araujo            (__)araujo at FreeBSD.org
\\\'',)http://www.FreeBSD.org <http://www.freebsd.org/>   \/  \ ^
Power To Server.         .\. /_)

More information about the freebsd-fs mailing list