Date: Tue, 14 Oct 2014 08:01:50 -0400 (EDT) From: Rick Macklem <rmacklem@uoguelph.ca> To: araujo@FreeBSD.org Cc: freebsd-fs@freebsd.org Subject: Re: [PATCH] disable nfsd (NFSv4) nobody/nogroup check Message-ID: <986887451.63845723.1413288110282.JavaMail.root@uoguelph.ca> In-Reply-To: <CAOfEmZjT5L-h6rBcNmeUZdsWVKq-ONP_Jf%2Btwky%2BpSQ8U6Csew@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Marcelo Araujo wrote: > Hello Blot, >=20 > The patch looks reasonable. > As per the email thread, seems a good approach to overcome this > issue, at > least for now. >=20 > If Rick has no objection and no free time, I can commit the patch > during > this week. >=20 > Best Regards, >=20 > 2014-10-14 18:34 GMT+08:00 Lo=C3=AFc Blot <loic.blot@unix-experience.fr>: >=20 > > Hi, > > since a recent problem (see thread NFSv4 nobody issue), i think we > > need a > > sysctl variable to disable nobody and nogroup check into the kernel > > (default enabled) > > This variable is useful in some situations, like TFTP over NFS, > > jails > > over NFS (some files like /var/db/locate.database need nobody > > user). > > > > I added vfs.nfsd.disable_nobodycheck and > > vfs.nfsd.disable_nogroupcheck to > > modify NFSv4 nobody/nogroup check. > > > > Thanks to Rick to tell me where the problem was. > > > > Can you review the patch, and add it to kernel to avoid previous > > mentionned issue. > > > > Here is my patch: > > > > --- sys/fs/nfsserver/nfs_nfsdsubs.c.orig 2014-10-14 > > 12:03:50.163311506 > > +0200 > > +++ sys/fs/nfsserver/nfs_nfsdsubs.c 2014-10-14 > > 12:06:29.793304755 +0200 > > @@ -62,9 +62,18 @@ > > SYSCTL_DECL(_vfs_nfsd); > > > > static int disable_checkutf8 =3D 0; > > +static int disable_nobodycheck =3D 0; > > +static int disable_nogroupcheck =3D 0; > > SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_checkutf8, CTLFLAG_RW, > > &disable_checkutf8, 0, > > "Disable the NFSv4 check for a UTF8 compliant name"); > > +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nobodycheck, CTLFLAG_RW, > > + &disable_nobodycheck, 0, > > + "Disable the NFSv4 check when setting user nobody as owner"); > > +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nogroupcheck, CTLFLAG_RW, > > + &disable_nogroupcheck, 0, > > + "Disable the NFSv4 check when setting group nogroup as > > owner"); > > + > > Patch looks fine to me. Marcelo, you can commit this if you'd like. Otherwise I'll do it. Sorry it took a while for me to remember this was disabled. (My only excuse is I wrote it about 10years ago;-) rick > > static char nfsrv_hexdigit(char, int *); > > > > @@ -1543,8 +1552,8 @@ > > */ > > if (NFSVNO_NOTSETUID(nvap) && NFSVNO_NOTSETGID(nvap)) > > goto out; > > - if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid =3D=3D > > nfsrv_defaultuid) > > - || (NFSVNO_ISSETGID(nvap) && nvap->na_gid =3D=3D > > nfsrv_defaultgid)) { > > + if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid =3D=3D > > nfsrv_defaultuid && > > disable_nobodycheck =3D=3D 0) > > + || (NFSVNO_ISSETGID(nvap) && nvap->na_gid =3D=3D > > nfsrv_defaultgid && > > disable_nogroupcheck =3D=3D 0)) { > > error =3D NFSERR_BADOWNER; > > goto out; > > } > > Regards, > > > > Lo=C3=AFc Blot, > > UNIX Systems, Network and Security Engineer > > http://www.unix-experience.fr > > _______________________________________________ > > freebsd-fs@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-fs > > To unsubscribe, send any mail to > > "freebsd-fs-unsubscribe@freebsd.org" >=20 >=20 >=20 >=20 > -- >=20 > -- > Marcelo Araujo (__)araujo@FreeBSD.org > \\\'',)http://www.FreeBSD.org <http://www.freebsd.org/> \/ \ ^ > Power To Server. .\. /_) > _______________________________________________ > freebsd-fs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-fs > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?986887451.63845723.1413288110282.JavaMail.root>