Date: Fri, 22 Sep 2006 12:31:10 +0200 From: Rink Springer <rink@FreeBSD.org> To: arch@FreeBSD.org Cc: roel@qsp.nl Subject: NFS+SUIDDIR problem Message-ID: <20060922103110.GA4266@rink.nu>
next in thread | raw e-mail | index | archive | help
--d6Gm4EdcadzBjdND Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi everyone, At work, we are having problems migrating a local filesystem (that was mounted using -o suiddir) to a NFS server, where the filesystem is also mounted using -o suiddir. This is on a 6.1-STABLE machine If a file has been created using, say, uid1, ufs/ufs/ufs_vnops.c:ufs_makeinode() will transform this to uid2 whenever needed, as desired. However, the NFS server code nfsserver/nfs_serv.c:nfsrv_access_withgiant() will check whether the vnode's attributes match those of the user credentials (cred->cr_uid =3D=3D vattr.va_uid). As the UFS driver just transformed uid1 to uid2, the check above does not hold (as vattr.va_uid =3D=3D uid2 but cred->cr_uid =3D= =3D uid1), and thus acccess is incorrectly denied. We've devised a patch which allows any write on a MNT_SUIDDIR mounted filesystem, as long as the UID is within a certain range (settable using sysctl's). However, even though this prevents our problems, is there a better solution to this problem (eg. having the vnode remember that it was chowned and checking that field)?. Or would it be best to request our patch to be commited? Thanks, --=20 Rink P.W. Springer - http://rink.nu "When will the internet move from 64Kb max .com domains to .exe domains which can use much more memory?" - Edwin Groothuis --d6Gm4EdcadzBjdND Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (FreeBSD) iD8DBQFFE7tub3O60uztv/8RAsY8AKCpQp2+GDtWyrYRb2HEjHnC9VA1ogCghKT2 veOwFcZj4B4KRCtM35+ql/s= =r2H1 -----END PGP SIGNATURE----- --d6Gm4EdcadzBjdND--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060922103110.GA4266>