[PATCH] disable nfsd (NFSv4) nobody/nogroup check

Loïc Blot loic.blot at unix-experience.fr
Wed Oct 15 07:21:30 UTC 2014 

Hi,
 i agree, thanks for your rework !

 Regards,

 Loïc Blot,
 UNIX Systems, Network and Security Engineer
 http://www.unix-experience.fr
 15 octobre 2014 04:24 "Marcelo Araujo"  a écrit:  

	  
 Hello Ronald and Blot, 
  
Here is the patch with a small rework. I consider Ronaldo's comments as well as I just change a bit the code style. 
  
If you guys agree with the patch, I will commit it today.  
  
Note: About the disable_utf8 that Rick has mention, I will rework that part later to make it as enable_utf8 instead of disable_utf8. 
  
Best Regards,  
  
2014-10-14 20:12 GMT+08:00 Marcelo Araujo :

    Hello All, 
  
Before I commit it, I will double check what is the best way. 
Thanks Ronald to point it out. 
  
Best Regards,  
  
2014-10-14 20:09 GMT+08:00 Rick Macklem : Ronald Klop wrote:
 > I thought it is advised to make settings positively defined. So not
 > use
 > 'disable = 1', but 'enable = 0'.
 >
 For the case of disable_utf8, I made it negative, since disabling the
 check violates RFC-3530. For these checks, there isn't anything in the
 RFC requiring the check AFAIK, so I personally don't care which way they
 are done. (If the default is disabling the check that could be a minor POLA
 violation.)

 So, you guys choose whichever you prefer to commit, rick 
 > Ronald.
 >
 >
 > On Tue, 14 Oct 2014 12:46:25 +0200, Marcelo Araujo
 >  wrote:
 >
 > > Hello Blot,
 > >
 > > The patch looks reasonable.
 > > As per the email thread, seems a good approach to overcome this
 > > issue, at
 > > least for now.
 > >
 > > If Rick has no objection and no free time, I can commit the patch
 > > during
 > > this week.
 > >
 > > Best Regards,
 > >
 > > 2014-10-14 18:34 GMT+08:00 Loïc Blot
 > > :
 > >
 > >> Hi,
 > >>  since a recent problem (see thread NFSv4 nobody issue), i think
 > >>  we
 > >> need a
 > >> sysctl variable to disable nobody and nogroup check into the
 > >> kernel
 > >> (default enabled)
 > >>  This variable is useful in some situations, like TFTP over NFS,
 > >>  jails
 > >> over NFS (some files like /var/db/locate.database need nobody
 > >> user).
 > >>
 > >>  I added vfs.nfsd.disable_nobodycheck and
 > >>  vfs.nfsd.disable_nogroupcheck
 > >> to
 > >> modify NFSv4 nobody/nogroup check.
 > >>
 > >>  Thanks to Rick to tell me where the problem was.
 > >>
 > >>  Can you review the patch, and add it to kernel to avoid previous
 > >> mentionned issue.
 > >>
 > >>  Here is my patch:
 > >>
 > >>  --- sys/fs/nfsserver/nfs_nfsdsubs.c.orig    2014-10-14
 > >> 12:03:50.163311506
 > >> +0200
 > >>  +++ sys/fs/nfsserver/nfs_nfsdsubs.c    2014-10-14
 > >>  12:06:29.793304755
 > >> +0200
 > >>  @@ -62,9 +62,18 @@
 > >>   SYSCTL_DECL(_vfs_nfsd);
 > >>
 > >>   static int    disable_checkutf8 = 0;
 > >>  +static int    disable_nobodycheck = 0;
 > >>  +static int    disable_nogroupcheck = 0;
 > >>   SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_checkutf8, CTLFLAG_RW,
 > >>       &disable_checkutf8, 0,
 > >>       "Disable the NFSv4 check for a UTF8 compliant name");
 > >>  +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nobodycheck, CTLFLAG_RW,
 > >>  +    &disable_nobodycheck, 0,
 > >>  +    "Disable the NFSv4 check when setting user nobody as
 > >>  owner");
 > >>  +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nogroupcheck,
 > >>  CTLFLAG_RW,
 > >>  +    &disable_nogroupcheck, 0,
 > >>  +    "Disable the NFSv4 check when setting group nogroup as
 > >>  owner");
 > >>  +
 > >>
 > >>   static char nfsrv_hexdigit(char, int *);
 > >>
 > >>  @@ -1543,8 +1552,8 @@
 > >>        */
 > >>       if (NFSVNO_NOTSETUID(nvap) && NFSVNO_NOTSETGID(nvap))
 > >>           goto out;
 > >>  -    if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid ==
 > >>  nfsrv_defaultuid)
 > >>  -        || (NFSVNO_ISSETGID(nvap) && nvap->na_gid ==
 > >> nfsrv_defaultgid)) {
 > >>  +    if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid ==
 > >>  nfsrv_defaultuid &&
 > >> disable_nobodycheck == 0)
 > >>  +        || (NFSVNO_ISSETGID(nvap) && nvap->na_gid ==
 > >>  nfsrv_defaultgid
 > >> &&
 > >> disable_nogroupcheck == 0)) {
 > >>           error = NFSERR_BADOWNER;
 > >>           goto out;
 > >>       }
 > >>  Regards,
 > >>
 > >>  Loïc Blot,
 > >>  UNIX Systems, Network and Security Engineer
 > >>  http://www.unix-experience.fr (http://www.unix-experience.fr)
 > >> _______________________________________________
 > >> freebsd-fs at freebsd.org (mailto:freebsd-fs at freebsd.org) mailing list
 > >> http://lists.freebsd.org/mailman/listinfo/freebsd-fs (http://lists.freebsd.org/mailman/listinfo/freebsd-fs)
 > >> To unsubscribe, send any mail to
 > >> "freebsd-fs-unsubscribe at freebsd.org (mailto:freebsd-fs-unsubscribe at freebsd.org)"
 > >
 > >
 > >
 > _______________________________________________
 > freebsd-fs at freebsd.org (mailto:freebsd-fs at freebsd.org) mailing list
 > http://lists.freebsd.org/mailman/listinfo/freebsd-fs (http://lists.freebsd.org/mailman/listinfo/freebsd-fs)
 > To unsubscribe, send any mail to "freebsd-fs-unsubscribe at freebsd.org (mailto:freebsd-fs-unsubscribe at freebsd.org)"
 >      
    --   
  
	 -- Marcelo Araujo (__) araujo at FreeBSD.org (mailto:araujo at FreeBSD.org) \'',) http://www.FreeBSD.org (http://www.freebsd.org/) / ^ Power To Server. .. /_)         
  --  
  
	 -- Marcelo Araujo (__) araujo at FreeBSD.org (mailto:araujo at FreeBSD.org) \'',) http://www.FreeBSD.org (http://www.freebsd.org/) / ^ Power To Server. .. /_)      

	 

More information about the freebsd-fs mailing list