Date: Tue, 14 Oct 2014 08:01:50 -0400 (EDT) From: Rick Macklem <rmacklem@uoguelph.ca> To: araujo@FreeBSD.org Cc: freebsd-fs@freebsd.org Subject: Re: [PATCH] disable nfsd (NFSv4) nobody/nogroup check Message-ID: <986887451.63845723.1413288110282.JavaMail.root@uoguelph.ca> In-Reply-To: <CAOfEmZjT5L-h6rBcNmeUZdsWVKq-ONP_Jf%2Btwky%2BpSQ8U6Csew@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Marcelo Araujo wrote:
> Hello Blot,
>=20
> The patch looks reasonable.
> As per the email thread, seems a good approach to overcome this
> issue, at
> least for now.
>=20
> If Rick has no objection and no free time, I can commit the patch
> during
> this week.
>=20
> Best Regards,
>=20
> 2014-10-14 18:34 GMT+08:00 Lo=C3=AFc Blot <loic.blot@unix-experience.fr>:
>=20
> > Hi,
> > since a recent problem (see thread NFSv4 nobody issue), i think we
> > need a
> > sysctl variable to disable nobody and nogroup check into the kernel
> > (default enabled)
> > This variable is useful in some situations, like TFTP over NFS,
> > jails
> > over NFS (some files like /var/db/locate.database need nobody
> > user).
> >
> > I added vfs.nfsd.disable_nobodycheck and
> > vfs.nfsd.disable_nogroupcheck to
> > modify NFSv4 nobody/nogroup check.
> >
> > Thanks to Rick to tell me where the problem was.
> >
> > Can you review the patch, and add it to kernel to avoid previous
> > mentionned issue.
> >
> > Here is my patch:
> >
> > --- sys/fs/nfsserver/nfs_nfsdsubs.c.orig 2014-10-14
> > 12:03:50.163311506
> > +0200
> > +++ sys/fs/nfsserver/nfs_nfsdsubs.c 2014-10-14
> > 12:06:29.793304755 +0200
> > @@ -62,9 +62,18 @@
> > SYSCTL_DECL(_vfs_nfsd);
> >
> > static int disable_checkutf8 =3D 0;
> > +static int disable_nobodycheck =3D 0;
> > +static int disable_nogroupcheck =3D 0;
> > SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_checkutf8, CTLFLAG_RW,
> > &disable_checkutf8, 0,
> > "Disable the NFSv4 check for a UTF8 compliant name");
> > +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nobodycheck, CTLFLAG_RW,
> > + &disable_nobodycheck, 0,
> > + "Disable the NFSv4 check when setting user nobody as owner");
> > +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nogroupcheck, CTLFLAG_RW,
> > + &disable_nogroupcheck, 0,
> > + "Disable the NFSv4 check when setting group nogroup as
> > owner");
> > +
> >
Patch looks fine to me.
Marcelo, you can commit this if you'd like. Otherwise I'll do it.
Sorry it took a while for me to remember this was disabled. (My only
excuse is I wrote it about 10years ago;-)
rick
> > static char nfsrv_hexdigit(char, int *);
> >
> > @@ -1543,8 +1552,8 @@
> > */
> > if (NFSVNO_NOTSETUID(nvap) && NFSVNO_NOTSETGID(nvap))
> > goto out;
> > - if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid =3D=3D
> > nfsrv_defaultuid)
> > - || (NFSVNO_ISSETGID(nvap) && nvap->na_gid =3D=3D
> > nfsrv_defaultgid)) {
> > + if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid =3D=3D
> > nfsrv_defaultuid &&
> > disable_nobodycheck =3D=3D 0)
> > + || (NFSVNO_ISSETGID(nvap) && nvap->na_gid =3D=3D
> > nfsrv_defaultgid &&
> > disable_nogroupcheck =3D=3D 0)) {
> > error =3D NFSERR_BADOWNER;
> > goto out;
> > }
> > Regards,
> >
> > Lo=C3=AFc Blot,
> > UNIX Systems, Network and Security Engineer
> > http://www.unix-experience.fr
> > _______________________________________________
> > freebsd-fs@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-fs
> > To unsubscribe, send any mail to
> > "freebsd-fs-unsubscribe@freebsd.org"
>=20
>=20
>=20
>=20
> --
>=20
> --
> Marcelo Araujo (__)araujo@FreeBSD.org
> \\\'',)http://www.FreeBSD.org <http://www.freebsd.org/>; \/ \ ^
> Power To Server. .\. /_)
> _______________________________________________
> freebsd-fs@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-fs
> To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?986887451.63845723.1413288110282.JavaMail.root>