[PATCH] disable nfsd (NFSv4) nobody/nogroup check

Marcelo Araujo araujobsdport at gmail.com
Wed Oct 15 02:24:48 UTC 2014 

Hello Ronald and Blot,

Here is the patch with a small rework. I consider Ronaldo's comments as
well as I just change a bit the code style.

If you guys agree with the patch, I will commit it today.

Note: About the disable_utf8 that Rick has mention, I will rework that part
later to make it as enable_utf8 instead of disable_utf8.

Best Regards,

2014-10-14 20:12 GMT+08:00 Marcelo Araujo <araujobsdport at gmail.com>:

> Hello All,
>
> Before I commit it, I will double check what is the best way.
> Thanks Ronald to point it out.
>
> Best Regards,
>
> 2014-10-14 20:09 GMT+08:00 Rick Macklem <rmacklem at uoguelph.ca>:
>
>> Ronald Klop wrote:
>> > I thought it is advised to make settings positively defined. So not
>> > use
>> > 'disable = 1', but 'enable = 0'.
>> >
>> For the case of disable_utf8, I made it negative, since disabling the
>> check violates RFC-3530. For these checks, there isn't anything in the
>> RFC requiring the check AFAIK, so I personally don't care which way they
>> are done. (If the default is disabling the check that could be a minor
>> POLA
>> violation.)
>>
>> So, you guys choose whichever you prefer to commit, rick
>>
>> > Ronald.
>> >
>> >
>> > On Tue, 14 Oct 2014 12:46:25 +0200, Marcelo Araujo
>> > <araujobsdport at gmail.com> wrote:
>> >
>> > > Hello Blot,
>> > >
>> > > The patch looks reasonable.
>> > > As per the email thread, seems a good approach to overcome this
>> > > issue, at
>> > > least for now.
>> > >
>> > > If Rick has no objection and no free time, I can commit the patch
>> > > during
>> > > this week.
>> > >
>> > > Best Regards,
>> > >
>> > > 2014-10-14 18:34 GMT+08:00 Loïc Blot
>> > > <loic.blot at unix-experience.fr>:
>> > >
>> > >> Hi,
>> > >>  since a recent problem (see thread NFSv4 nobody issue), i think
>> > >>  we
>> > >> need a
>> > >> sysctl variable to disable nobody and nogroup check into the
>> > >> kernel
>> > >> (default enabled)
>> > >>  This variable is useful in some situations, like TFTP over NFS,
>> > >>  jails
>> > >> over NFS (some files like /var/db/locate.database need nobody
>> > >> user).
>> > >>
>> > >>  I added vfs.nfsd.disable_nobodycheck and
>> > >>  vfs.nfsd.disable_nogroupcheck
>> > >> to
>> > >> modify NFSv4 nobody/nogroup check.
>> > >>
>> > >>  Thanks to Rick to tell me where the problem was.
>> > >>
>> > >>  Can you review the patch, and add it to kernel to avoid previous
>> > >> mentionned issue.
>> > >>
>> > >>  Here is my patch:
>> > >>
>> > >>  --- sys/fs/nfsserver/nfs_nfsdsubs.c.orig    2014-10-14
>> > >> 12:03:50.163311506
>> > >> +0200
>> > >>  +++ sys/fs/nfsserver/nfs_nfsdsubs.c    2014-10-14
>> > >>  12:06:29.793304755
>> > >> +0200
>> > >>  @@ -62,9 +62,18 @@
>> > >>   SYSCTL_DECL(_vfs_nfsd);
>> > >>
>> > >>   static int    disable_checkutf8 = 0;
>> > >>  +static int    disable_nobodycheck = 0;
>> > >>  +static int    disable_nogroupcheck = 0;
>> > >>   SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_checkutf8, CTLFLAG_RW,
>> > >>       &disable_checkutf8, 0,
>> > >>       "Disable the NFSv4 check for a UTF8 compliant name");
>> > >>  +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nobodycheck, CTLFLAG_RW,
>> > >>  +    &disable_nobodycheck, 0,
>> > >>  +    "Disable the NFSv4 check when setting user nobody as
>> > >>  owner");
>> > >>  +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nogroupcheck,
>> > >>  CTLFLAG_RW,
>> > >>  +    &disable_nogroupcheck, 0,
>> > >>  +    "Disable the NFSv4 check when setting group nogroup as
>> > >>  owner");
>> > >>  +
>> > >>
>> > >>   static char nfsrv_hexdigit(char, int *);
>> > >>
>> > >>  @@ -1543,8 +1552,8 @@
>> > >>        */
>> > >>       if (NFSVNO_NOTSETUID(nvap) && NFSVNO_NOTSETGID(nvap))
>> > >>           goto out;
>> > >>  -    if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid ==
>> > >>  nfsrv_defaultuid)
>> > >>  -        || (NFSVNO_ISSETGID(nvap) && nvap->na_gid ==
>> > >> nfsrv_defaultgid)) {
>> > >>  +    if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid ==
>> > >>  nfsrv_defaultuid &&
>> > >> disable_nobodycheck == 0)
>> > >>  +        || (NFSVNO_ISSETGID(nvap) && nvap->na_gid ==
>> > >>  nfsrv_defaultgid
>> > >> &&
>> > >> disable_nogroupcheck == 0)) {
>> > >>           error = NFSERR_BADOWNER;
>> > >>           goto out;
>> > >>       }
>> > >>  Regards,
>> > >>
>> > >>  Loïc Blot,
>> > >>  UNIX Systems, Network and Security Engineer
>> > >>  http://www.unix-experience.fr
>> > >> _______________________________________________
>> > >> freebsd-fs at freebsd.org mailing list
>> > >> http://lists.freebsd.org/mailman/listinfo/freebsd-fs
>> > >> To unsubscribe, send any mail to
>> > >> "freebsd-fs-unsubscribe at freebsd.org"
>> > >
>> > >
>> > >
>> > _______________________________________________
>> > freebsd-fs at freebsd.org mailing list
>> > http://lists.freebsd.org/mailman/listinfo/freebsd-fs
>> > To unsubscribe, send any mail to "freebsd-fs-unsubscribe at freebsd.org"
>> >
>>
>
>
>
> --
>
> --
> Marcelo Araujo            (__)araujo at FreeBSD.org     \\\'',)http://www.FreeBSD.org <http://www.freebsd.org/>   \/  \ ^
> Power To Server.         .\. /_)
>
>


-- 

-- 
Marcelo Araujo            (__)araujo at FreeBSD.org
\\\'',)http://www.FreeBSD.org <http://www.freebsd.org/>   \/  \ ^
Power To Server.         .\. /_)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nfs-nogroup-user.patch
Type: application/octet-stream
Size: 1273 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-fs/attachments/20141015/e8ac82c7/attachment.obj>

More information about the freebsd-fs mailing list