Date: Tue, 14 Oct 2014 18:46:25 +0800 From: Marcelo Araujo <araujobsdport@gmail.com> To: =?UTF-8?Q?Lo=C3=AFc_Blot?= <loic.blot@unix-experience.fr> Cc: "freebsd-fs@freebsd.org" <freebsd-fs@freebsd.org> Subject: Re: [PATCH] disable nfsd (NFSv4) nobody/nogroup check Message-ID: <CAOfEmZjT5L-h6rBcNmeUZdsWVKq-ONP_Jf%2Btwky%2BpSQ8U6Csew@mail.gmail.com> In-Reply-To: <ccad8b9abb67b704e435accfc88513ea@mail.unix-experience.fr> References: <ccad8b9abb67b704e435accfc88513ea@mail.unix-experience.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Blot,
The patch looks reasonable.
As per the email thread, seems a good approach to overcome this issue, at
least for now.
If Rick has no objection and no free time, I can commit the patch during
this week.
Best Regards,
2014-10-14 18:34 GMT+08:00 Lo=C3=AFc Blot <loic.blot@unix-experience.fr>:
> Hi,
> since a recent problem (see thread NFSv4 nobody issue), i think we need =
a
> sysctl variable to disable nobody and nogroup check into the kernel
> (default enabled)
> This variable is useful in some situations, like TFTP over NFS, jails
> over NFS (some files like /var/db/locate.database need nobody user).
>
> I added vfs.nfsd.disable_nobodycheck and vfs.nfsd.disable_nogroupcheck t=
o
> modify NFSv4 nobody/nogroup check.
>
> Thanks to Rick to tell me where the problem was.
>
> Can you review the patch, and add it to kernel to avoid previous
> mentionned issue.
>
> Here is my patch:
>
> --- sys/fs/nfsserver/nfs_nfsdsubs.c.orig 2014-10-14 12:03:50.16331150=
6
> +0200
> +++ sys/fs/nfsserver/nfs_nfsdsubs.c 2014-10-14 12:06:29.793304755 +02=
00
> @@ -62,9 +62,18 @@
> SYSCTL_DECL(_vfs_nfsd);
>
> static int disable_checkutf8 =3D 0;
> +static int disable_nobodycheck =3D 0;
> +static int disable_nogroupcheck =3D 0;
> SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_checkutf8, CTLFLAG_RW,
> &disable_checkutf8, 0,
> "Disable the NFSv4 check for a UTF8 compliant name");
> +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nobodycheck, CTLFLAG_RW,
> + &disable_nobodycheck, 0,
> + "Disable the NFSv4 check when setting user nobody as owner");
> +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nogroupcheck, CTLFLAG_RW,
> + &disable_nogroupcheck, 0,
> + "Disable the NFSv4 check when setting group nogroup as owner");
> +
>
> static char nfsrv_hexdigit(char, int *);
>
> @@ -1543,8 +1552,8 @@
> */
> if (NFSVNO_NOTSETUID(nvap) && NFSVNO_NOTSETGID(nvap))
> goto out;
> - if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid =3D=3D nfsrv_defaultuid)
> - || (NFSVNO_ISSETGID(nvap) && nvap->na_gid =3D=3D nfsrv_defaultg=
id)) {
> + if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid =3D=3D nfsrv_defaultuid =
&&
> disable_nobodycheck =3D=3D 0)
> + || (NFSVNO_ISSETGID(nvap) && nvap->na_gid =3D=3D nfsrv_defaultg=
id &&
> disable_nogroupcheck =3D=3D 0)) {
> error =3D NFSERR_BADOWNER;
> goto out;
> }
> Regards,
>
> Lo=C3=AFc Blot,
> UNIX Systems, Network and Security Engineer
> http://www.unix-experience.fr
> _______________________________________________
> freebsd-fs@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-fs
> To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org"
--=20
--=20
Marcelo Araujo (__)araujo@FreeBSD.org
\\\'',)http://www.FreeBSD.org <http://www.freebsd.org/>; \/ \ ^
Power To Server. .\. /_)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOfEmZjT5L-h6rBcNmeUZdsWVKq-ONP_Jf%2Btwky%2BpSQ8U6Csew>