From owner-freebsd-bugs@freebsd.org Tue Aug 25 18:36:26 2015 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1F2DB99A333 for ; Tue, 25 Aug 2015 18:36:26 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0BAF6986 for ; Tue, 25 Aug 2015 18:36:26 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id t7PIaPsP082761 for ; Tue, 25 Aug 2015 18:36:25 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 202659] rpcsec_gss has a 16-group limit Date: Tue, 25 Aug 2015 18:36:26 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: matthew.l.dailey@dartmouth.edu X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2015 18:36:26 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202659 Bug ID: 202659 Summary: rpcsec_gss has a 16-group limit Product: Base System Version: 10.2-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: matthew.l.dailey@dartmouth.edu Created attachment 160354 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=160354&action=edit Patch for svc_rpcsec_gss to switch from RPCAUTH_UNIXGIDS to NGROUPS System: FreeBSD freebsd-test 10.2-RELEASE FreeBSD 10.2-RELEASE #1: Fri Aug 21 11:12:07 EDT 2015 root@freebsd-test.thayer.dartmouth.edu:/usr/obj/usr/src/sys/GENERIC_GSS amd64 I have observed this issue as far back as 9.1-RELEASE. Overview: The kernel code for svc_rpcsec_gss and the userspace code for gssd implement a 16-group limit for users. Steps to reproduce: The first step is to have a working FreeBSD nfs4 server tied into a kerberos infrastructure and exporting directories with one of the krb5 security flavors The FreeBSD nfs4 server requires a kernel built with: options KGSSAPI device crypto Here is the simple /etc/exports on the server: V4: /exports -sec=krb5:krb5i /exports -sec=krb5 Add a user to more than 16 groups on the nfs4 server: # groups testuser staff group1 group2 group3 group4 group5 group6 group7 group8 group9 group10 group11 group12 group13 group14 group15 group16 Set permissions on an exported directory for the 17th or higher group # ls -ld /exports/group16 drwxrwxr-x 2 root group16 3 Aug 21 13:08 /exports/group16 Try to access this directory as this user from a remote client # mount -t nfs4 -osec=krb5,nosuid freebsd-test:/ /mnt/exports $ touch /mnt/exports/group16/testfile touch: cannot touch `/mnt/exports/group16/testfile`: Permission denied Directories with permissions for the 16th and under groups work: server# ls -ld /exports/group15 drwxrwxr-x 2 root group15 3 Aug 21 10:29 /exports/group15 client$ touch /mnt/exports/group15/testfile client$ ls -al /mnt/exports/group15/testfile -rw-r--r-- 1 testuser group15 0 Aug 21 10:29 /mnt/exports/group15/testfile Problem description: This problem appears to come from defines in both sys/rpc/rpcsec_gss/svc_rpcsec_gss.c and usr.sbin/gssd/gssd.c In sys/rpc/rpcsec_gss/svc_rpcsec_gss.c, the group limit is defined using RPCAUTH_UNIXGIDS. It looks like this may have originally come from sys/fs/nfs/rpc2.h, but I don't think this is included by the code, so RPCAUTH_UNIXGIDS is defined locally. In usr.sbin/gssd/gssd.c, the group limit is defined using NGRPS. This comes ultimately from sys/rpc/auth_unix.h, which is included in gssd.c from sys/rpc/rpc.h. Proposed solution: In both cases, I would propose that this be fixed by using the NGROUPS definition from sys/sys/param.h instead of the existing definitions. This will not only lift the current 16-group limit, but allow the code to track future increases in this value. There was previously a buffer issue in gssd that prevented this increase, but this was fixed in May 2013 in base r250176. We have been running a production system (originally 9.1-RELEASE, upgraded to 9.3-RELEASE in March 2015) where I raised the limit in both svc_rpcsec_gss.c and gssd.c to 256 groups. This has been running since May 2013 without any problems. I have also tested these exact patches on a 10.2-RELEASE system, and experienced no problems in limited testing. Attached are my proposed patches. Please let me know if you have any questions or need any other information about these patches. -- You are receiving this mail because: You are the assignee for the bug.