[PATCH] disable nfsd (NFSv4) nobody/nogroup check
Loïc Blot
loic.blot at unix-experience.fr
Wed Oct 15 07:21:30 UTC 2014
Hi,
i agree, thanks for your rework !
Regards,
Loïc Blot,
UNIX Systems, Network and Security Engineer
http://www.unix-experience.fr
15 octobre 2014 04:24 "Marcelo Araujo" a écrit:
Hello Ronald and Blot,
Here is the patch with a small rework. I consider Ronaldo's comments as well as I just change a bit the code style.
If you guys agree with the patch, I will commit it today.
Note: About the disable_utf8 that Rick has mention, I will rework that part later to make it as enable_utf8 instead of disable_utf8.
Best Regards,
2014-10-14 20:12 GMT+08:00 Marcelo Araujo :
Hello All,
Before I commit it, I will double check what is the best way.
Thanks Ronald to point it out.
Best Regards,
2014-10-14 20:09 GMT+08:00 Rick Macklem : Ronald Klop wrote:
> I thought it is advised to make settings positively defined. So not
> use
> 'disable = 1', but 'enable = 0'.
>
For the case of disable_utf8, I made it negative, since disabling the
check violates RFC-3530. For these checks, there isn't anything in the
RFC requiring the check AFAIK, so I personally don't care which way they
are done. (If the default is disabling the check that could be a minor POLA
violation.)
So, you guys choose whichever you prefer to commit, rick
> Ronald.
>
>
> On Tue, 14 Oct 2014 12:46:25 +0200, Marcelo Araujo
> wrote:
>
> > Hello Blot,
> >
> > The patch looks reasonable.
> > As per the email thread, seems a good approach to overcome this
> > issue, at
> > least for now.
> >
> > If Rick has no objection and no free time, I can commit the patch
> > during
> > this week.
> >
> > Best Regards,
> >
> > 2014-10-14 18:34 GMT+08:00 Loïc Blot
> > :
> >
> >> Hi,
> >> since a recent problem (see thread NFSv4 nobody issue), i think
> >> we
> >> need a
> >> sysctl variable to disable nobody and nogroup check into the
> >> kernel
> >> (default enabled)
> >> This variable is useful in some situations, like TFTP over NFS,
> >> jails
> >> over NFS (some files like /var/db/locate.database need nobody
> >> user).
> >>
> >> I added vfs.nfsd.disable_nobodycheck and
> >> vfs.nfsd.disable_nogroupcheck
> >> to
> >> modify NFSv4 nobody/nogroup check.
> >>
> >> Thanks to Rick to tell me where the problem was.
> >>
> >> Can you review the patch, and add it to kernel to avoid previous
> >> mentionned issue.
> >>
> >> Here is my patch:
> >>
> >> --- sys/fs/nfsserver/nfs_nfsdsubs.c.orig 2014-10-14
> >> 12:03:50.163311506
> >> +0200
> >> +++ sys/fs/nfsserver/nfs_nfsdsubs.c 2014-10-14
> >> 12:06:29.793304755
> >> +0200
> >> @@ -62,9 +62,18 @@
> >> SYSCTL_DECL(_vfs_nfsd);
> >>
> >> static int disable_checkutf8 = 0;
> >> +static int disable_nobodycheck = 0;
> >> +static int disable_nogroupcheck = 0;
> >> SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_checkutf8, CTLFLAG_RW,
> >> &disable_checkutf8, 0,
> >> "Disable the NFSv4 check for a UTF8 compliant name");
> >> +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nobodycheck, CTLFLAG_RW,
> >> + &disable_nobodycheck, 0,
> >> + "Disable the NFSv4 check when setting user nobody as
> >> owner");
> >> +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nogroupcheck,
> >> CTLFLAG_RW,
> >> + &disable_nogroupcheck, 0,
> >> + "Disable the NFSv4 check when setting group nogroup as
> >> owner");
> >> +
> >>
> >> static char nfsrv_hexdigit(char, int *);
> >>
> >> @@ -1543,8 +1552,8 @@
> >> */
> >> if (NFSVNO_NOTSETUID(nvap) && NFSVNO_NOTSETGID(nvap))
> >> goto out;
> >> - if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid ==
> >> nfsrv_defaultuid)
> >> - || (NFSVNO_ISSETGID(nvap) && nvap->na_gid ==
> >> nfsrv_defaultgid)) {
> >> + if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid ==
> >> nfsrv_defaultuid &&
> >> disable_nobodycheck == 0)
> >> + || (NFSVNO_ISSETGID(nvap) && nvap->na_gid ==
> >> nfsrv_defaultgid
> >> &&
> >> disable_nogroupcheck == 0)) {
> >> error = NFSERR_BADOWNER;
> >> goto out;
> >> }
> >> Regards,
> >>
> >> Loïc Blot,
> >> UNIX Systems, Network and Security Engineer
> >> http://www.unix-experience.fr (http://www.unix-experience.fr)
> >> _______________________________________________
> >> freebsd-fs at freebsd.org (mailto:freebsd-fs at freebsd.org) mailing list
> >> http://lists.freebsd.org/mailman/listinfo/freebsd-fs (http://lists.freebsd.org/mailman/listinfo/freebsd-fs)
> >> To unsubscribe, send any mail to
> >> "freebsd-fs-unsubscribe at freebsd.org (mailto:freebsd-fs-unsubscribe at freebsd.org)"
> >
> >
> >
> _______________________________________________
> freebsd-fs at freebsd.org (mailto:freebsd-fs at freebsd.org) mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-fs (http://lists.freebsd.org/mailman/listinfo/freebsd-fs)
> To unsubscribe, send any mail to "freebsd-fs-unsubscribe at freebsd.org (mailto:freebsd-fs-unsubscribe at freebsd.org)"
>
--
-- Marcelo Araujo (__) araujo at FreeBSD.org (mailto:araujo at FreeBSD.org) \'',) http://www.FreeBSD.org (http://www.freebsd.org/) / ^ Power To Server. .. /_)
--
-- Marcelo Araujo (__) araujo at FreeBSD.org (mailto:araujo at FreeBSD.org) \'',) http://www.FreeBSD.org (http://www.freebsd.org/) / ^ Power To Server. .. /_)
More information about the freebsd-fs
mailing list