[PATCH] disable nfsd (NFSv4) nobody/nogroup check
Marcelo Araujo
araujobsdport at gmail.com
Wed Oct 15 02:24:48 UTC 2014
Hello Ronald and Blot,
Here is the patch with a small rework. I consider Ronaldo's comments as
well as I just change a bit the code style.
If you guys agree with the patch, I will commit it today.
Note: About the disable_utf8 that Rick has mention, I will rework that part
later to make it as enable_utf8 instead of disable_utf8.
Best Regards,
2014-10-14 20:12 GMT+08:00 Marcelo Araujo <araujobsdport at gmail.com>:
> Hello All,
>
> Before I commit it, I will double check what is the best way.
> Thanks Ronald to point it out.
>
> Best Regards,
>
> 2014-10-14 20:09 GMT+08:00 Rick Macklem <rmacklem at uoguelph.ca>:
>
>> Ronald Klop wrote:
>> > I thought it is advised to make settings positively defined. So not
>> > use
>> > 'disable = 1', but 'enable = 0'.
>> >
>> For the case of disable_utf8, I made it negative, since disabling the
>> check violates RFC-3530. For these checks, there isn't anything in the
>> RFC requiring the check AFAIK, so I personally don't care which way they
>> are done. (If the default is disabling the check that could be a minor
>> POLA
>> violation.)
>>
>> So, you guys choose whichever you prefer to commit, rick
>>
>> > Ronald.
>> >
>> >
>> > On Tue, 14 Oct 2014 12:46:25 +0200, Marcelo Araujo
>> > <araujobsdport at gmail.com> wrote:
>> >
>> > > Hello Blot,
>> > >
>> > > The patch looks reasonable.
>> > > As per the email thread, seems a good approach to overcome this
>> > > issue, at
>> > > least for now.
>> > >
>> > > If Rick has no objection and no free time, I can commit the patch
>> > > during
>> > > this week.
>> > >
>> > > Best Regards,
>> > >
>> > > 2014-10-14 18:34 GMT+08:00 Loïc Blot
>> > > <loic.blot at unix-experience.fr>:
>> > >
>> > >> Hi,
>> > >> since a recent problem (see thread NFSv4 nobody issue), i think
>> > >> we
>> > >> need a
>> > >> sysctl variable to disable nobody and nogroup check into the
>> > >> kernel
>> > >> (default enabled)
>> > >> This variable is useful in some situations, like TFTP over NFS,
>> > >> jails
>> > >> over NFS (some files like /var/db/locate.database need nobody
>> > >> user).
>> > >>
>> > >> I added vfs.nfsd.disable_nobodycheck and
>> > >> vfs.nfsd.disable_nogroupcheck
>> > >> to
>> > >> modify NFSv4 nobody/nogroup check.
>> > >>
>> > >> Thanks to Rick to tell me where the problem was.
>> > >>
>> > >> Can you review the patch, and add it to kernel to avoid previous
>> > >> mentionned issue.
>> > >>
>> > >> Here is my patch:
>> > >>
>> > >> --- sys/fs/nfsserver/nfs_nfsdsubs.c.orig 2014-10-14
>> > >> 12:03:50.163311506
>> > >> +0200
>> > >> +++ sys/fs/nfsserver/nfs_nfsdsubs.c 2014-10-14
>> > >> 12:06:29.793304755
>> > >> +0200
>> > >> @@ -62,9 +62,18 @@
>> > >> SYSCTL_DECL(_vfs_nfsd);
>> > >>
>> > >> static int disable_checkutf8 = 0;
>> > >> +static int disable_nobodycheck = 0;
>> > >> +static int disable_nogroupcheck = 0;
>> > >> SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_checkutf8, CTLFLAG_RW,
>> > >> &disable_checkutf8, 0,
>> > >> "Disable the NFSv4 check for a UTF8 compliant name");
>> > >> +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nobodycheck, CTLFLAG_RW,
>> > >> + &disable_nobodycheck, 0,
>> > >> + "Disable the NFSv4 check when setting user nobody as
>> > >> owner");
>> > >> +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nogroupcheck,
>> > >> CTLFLAG_RW,
>> > >> + &disable_nogroupcheck, 0,
>> > >> + "Disable the NFSv4 check when setting group nogroup as
>> > >> owner");
>> > >> +
>> > >>
>> > >> static char nfsrv_hexdigit(char, int *);
>> > >>
>> > >> @@ -1543,8 +1552,8 @@
>> > >> */
>> > >> if (NFSVNO_NOTSETUID(nvap) && NFSVNO_NOTSETGID(nvap))
>> > >> goto out;
>> > >> - if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid ==
>> > >> nfsrv_defaultuid)
>> > >> - || (NFSVNO_ISSETGID(nvap) && nvap->na_gid ==
>> > >> nfsrv_defaultgid)) {
>> > >> + if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid ==
>> > >> nfsrv_defaultuid &&
>> > >> disable_nobodycheck == 0)
>> > >> + || (NFSVNO_ISSETGID(nvap) && nvap->na_gid ==
>> > >> nfsrv_defaultgid
>> > >> &&
>> > >> disable_nogroupcheck == 0)) {
>> > >> error = NFSERR_BADOWNER;
>> > >> goto out;
>> > >> }
>> > >> Regards,
>> > >>
>> > >> Loïc Blot,
>> > >> UNIX Systems, Network and Security Engineer
>> > >> http://www.unix-experience.fr
>> > >> _______________________________________________
>> > >> freebsd-fs at freebsd.org mailing list
>> > >> http://lists.freebsd.org/mailman/listinfo/freebsd-fs
>> > >> To unsubscribe, send any mail to
>> > >> "freebsd-fs-unsubscribe at freebsd.org"
>> > >
>> > >
>> > >
>> > _______________________________________________
>> > freebsd-fs at freebsd.org mailing list
>> > http://lists.freebsd.org/mailman/listinfo/freebsd-fs
>> > To unsubscribe, send any mail to "freebsd-fs-unsubscribe at freebsd.org"
>> >
>>
>
>
>
> --
>
> --
> Marcelo Araujo (__)araujo at FreeBSD.org \\\'',)http://www.FreeBSD.org <http://www.freebsd.org/> \/ \ ^
> Power To Server. .\. /_)
>
>
--
--
Marcelo Araujo (__)araujo at FreeBSD.org
\\\'',)http://www.FreeBSD.org <http://www.freebsd.org/> \/ \ ^
Power To Server. .\. /_)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nfs-nogroup-user.patch
Type: application/octet-stream
Size: 1273 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-fs/attachments/20141015/e8ac82c7/attachment.obj>
More information about the freebsd-fs
mailing list