Date: Wed, 15 Oct 2014 10:24:46 +0800 From: Marcelo Araujo <araujobsdport@gmail.com> To: Rick Macklem <rmacklem@uoguelph.ca> Cc: "freebsd-fs@freebsd.org" <freebsd-fs@freebsd.org> Subject: Re: [PATCH] disable nfsd (NFSv4) nobody/nogroup check Message-ID: <CAOfEmZhFgx21qa3W_mx9%2B3ERT-_yU1gqJHxviUWXWTh8Dxnt1A@mail.gmail.com> In-Reply-To: <CAOfEmZhbAvC26j-sx3A9sLcr_mc1Z3KNv_%2BYAgJV0M5hvSdnQw@mail.gmail.com> References: <op.xnpyg0oxkndu52@ronaldradial.radialsg.local> <2111556765.63849821.1413288573994.JavaMail.root@uoguelph.ca> <CAOfEmZhbAvC26j-sx3A9sLcr_mc1Z3KNv_%2BYAgJV0M5hvSdnQw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--047d7b6d96c4e2889505056cd5a1
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Hello Ronald and Blot,
Here is the patch with a small rework. I consider Ronaldo's comments as
well as I just change a bit the code style.
If you guys agree with the patch, I will commit it today.
Note: About the disable_utf8 that Rick has mention, I will rework that part
later to make it as enable_utf8 instead of disable_utf8.
Best Regards,
2014-10-14 20:12 GMT+08:00 Marcelo Araujo <araujobsdport@gmail.com>:
> Hello All,
>
> Before I commit it, I will double check what is the best way.
> Thanks Ronald to point it out.
>
> Best Regards,
>
> 2014-10-14 20:09 GMT+08:00 Rick Macklem <rmacklem@uoguelph.ca>:
>
>> Ronald Klop wrote:
>> > I thought it is advised to make settings positively defined. So not
>> > use
>> > 'disable =3D 1', but 'enable =3D 0'.
>> >
>> For the case of disable_utf8, I made it negative, since disabling the
>> check violates RFC-3530. For these checks, there isn't anything in the
>> RFC requiring the check AFAIK, so I personally don't care which way they
>> are done. (If the default is disabling the check that could be a minor
>> POLA
>> violation.)
>>
>> So, you guys choose whichever you prefer to commit, rick
>>
>> > Ronald.
>> >
>> >
>> > On Tue, 14 Oct 2014 12:46:25 +0200, Marcelo Araujo
>> > <araujobsdport@gmail.com> wrote:
>> >
>> > > Hello Blot,
>> > >
>> > > The patch looks reasonable.
>> > > As per the email thread, seems a good approach to overcome this
>> > > issue, at
>> > > least for now.
>> > >
>> > > If Rick has no objection and no free time, I can commit the patch
>> > > during
>> > > this week.
>> > >
>> > > Best Regards,
>> > >
>> > > 2014-10-14 18:34 GMT+08:00 Lo=C3=AFc Blot
>> > > <loic.blot@unix-experience.fr>:
>> > >
>> > >> Hi,
>> > >> since a recent problem (see thread NFSv4 nobody issue), i think
>> > >> we
>> > >> need a
>> > >> sysctl variable to disable nobody and nogroup check into the
>> > >> kernel
>> > >> (default enabled)
>> > >> This variable is useful in some situations, like TFTP over NFS,
>> > >> jails
>> > >> over NFS (some files like /var/db/locate.database need nobody
>> > >> user).
>> > >>
>> > >> I added vfs.nfsd.disable_nobodycheck and
>> > >> vfs.nfsd.disable_nogroupcheck
>> > >> to
>> > >> modify NFSv4 nobody/nogroup check.
>> > >>
>> > >> Thanks to Rick to tell me where the problem was.
>> > >>
>> > >> Can you review the patch, and add it to kernel to avoid previous
>> > >> mentionned issue.
>> > >>
>> > >> Here is my patch:
>> > >>
>> > >> --- sys/fs/nfsserver/nfs_nfsdsubs.c.orig 2014-10-14
>> > >> 12:03:50.163311506
>> > >> +0200
>> > >> +++ sys/fs/nfsserver/nfs_nfsdsubs.c 2014-10-14
>> > >> 12:06:29.793304755
>> > >> +0200
>> > >> @@ -62,9 +62,18 @@
>> > >> SYSCTL_DECL(_vfs_nfsd);
>> > >>
>> > >> static int disable_checkutf8 =3D 0;
>> > >> +static int disable_nobodycheck =3D 0;
>> > >> +static int disable_nogroupcheck =3D 0;
>> > >> SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_checkutf8, CTLFLAG_RW,
>> > >> &disable_checkutf8, 0,
>> > >> "Disable the NFSv4 check for a UTF8 compliant name");
>> > >> +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nobodycheck, CTLFLAG_RW,
>> > >> + &disable_nobodycheck, 0,
>> > >> + "Disable the NFSv4 check when setting user nobody as
>> > >> owner");
>> > >> +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nogroupcheck,
>> > >> CTLFLAG_RW,
>> > >> + &disable_nogroupcheck, 0,
>> > >> + "Disable the NFSv4 check when setting group nogroup as
>> > >> owner");
>> > >> +
>> > >>
>> > >> static char nfsrv_hexdigit(char, int *);
>> > >>
>> > >> @@ -1543,8 +1552,8 @@
>> > >> */
>> > >> if (NFSVNO_NOTSETUID(nvap) && NFSVNO_NOTSETGID(nvap))
>> > >> goto out;
>> > >> - if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid =3D=3D
>> > >> nfsrv_defaultuid)
>> > >> - || (NFSVNO_ISSETGID(nvap) && nvap->na_gid =3D=3D
>> > >> nfsrv_defaultgid)) {
>> > >> + if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid =3D=3D
>> > >> nfsrv_defaultuid &&
>> > >> disable_nobodycheck =3D=3D 0)
>> > >> + || (NFSVNO_ISSETGID(nvap) && nvap->na_gid =3D=3D
>> > >> nfsrv_defaultgid
>> > >> &&
>> > >> disable_nogroupcheck =3D=3D 0)) {
>> > >> error =3D NFSERR_BADOWNER;
>> > >> goto out;
>> > >> }
>> > >> Regards,
>> > >>
>> > >> Lo=C3=AFc Blot,
>> > >> UNIX Systems, Network and Security Engineer
>> > >> http://www.unix-experience.fr
>> > >> _______________________________________________
>> > >> freebsd-fs@freebsd.org mailing list
>> > >> http://lists.freebsd.org/mailman/listinfo/freebsd-fs
>> > >> To unsubscribe, send any mail to
>> > >> "freebsd-fs-unsubscribe@freebsd.org"
>> > >
>> > >
>> > >
>> > _______________________________________________
>> > freebsd-fs@freebsd.org mailing list
>> > http://lists.freebsd.org/mailman/listinfo/freebsd-fs
>> > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org"
>> >
>>
>
>
>
> --
>
> --
> Marcelo Araujo (__)araujo@FreeBSD.org \\\'',)http://www.Fr=
eeBSD.org <http://www.freebsd.org/>; \/ \ ^
> Power To Server. .\. /_)
>
>
--=20
--=20
Marcelo Araujo (__)araujo@FreeBSD.org
\\\'',)http://www.FreeBSD.org <http://www.freebsd.org/>; \/ \ ^
Power To Server. .\. /_)
--047d7b6d96c4e2889505056cd5a1
Content-Type: application/octet-stream; name="nfs-nogroup-user.patch"
Content-Disposition: attachment; filename="nfs-nogroup-user.patch"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_i1a2199h0
SW5kZXg6IHN5cy9mcy9uZnNzZXJ2ZXIvbmZzX25mc2RzdWJzLmMKPT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gc3lz
L2ZzL25mc3NlcnZlci9uZnNfbmZzZHN1YnMuYwkocmV2aXNpb24gMjczMTEyKQorKysgc3lzL2Zz
L25mc3NlcnZlci9uZnNfbmZzZHN1YnMuYwkod29ya2luZyBjb3B5KQpAQCAtNjYsNiArNjYsMTYg
QEAKICAgICAmZGlzYWJsZV9jaGVja3V0ZjgsIDAsCiAgICAgIkRpc2FibGUgdGhlIE5GU3Y0IGNo
ZWNrIGZvciBhIFVURjggY29tcGxpYW50IG5hbWUiKTsKIAorc3RhdGljIGludCAgICBlbmFibGVf
bm9ib2R5Y2hlY2sgPSAxOworU1lTQ1RMX0lOVChfdmZzX25mc2QsIE9JRF9BVVRPLCBlbmFibGVf
bm9ib2R5Y2hlY2ssIENUTEZMQUdfUlcsCisgICAgJmVuYWJsZV9ub2JvZHljaGVjaywgMCwKKyAg
ICAiRW5hYmxlIHRoZSBORlN2NCBjaGVjayB3aGVuIHNldHRpbmcgdXNlciBub2JvZHkgYXMgb3du
ZXIiKTsKKworc3RhdGljIGludCAgICBlbmFibGVfbm9ncm91cGNoZWNrID0gMTsKK1NZU0NUTF9J
TlQoX3Zmc19uZnNkLCBPSURfQVVUTywgZW5hYmxlX25vZ3JvdXBjaGVjaywgQ1RMRkxBR19SVywK
KyAgICAmZW5hYmxlX25vZ3JvdXBjaGVjaywgMCwKKyAgICAiRW5hYmxlIHRoZSBORlN2NCBjaGVj
ayB3aGVuIHNldHRpbmcgZ3JvdXAgbm9ncm91cCBhcyBvd25lciIpOworCiBzdGF0aWMgY2hhciBu
ZnNydl9oZXhkaWdpdChjaGFyLCBpbnQgKik7CiAKIC8qCkBAIC0xNTQzLDggKzE1NTMsMTAgQEAK
IAkgKi8KIAlpZiAoTkZTVk5PX05PVFNFVFVJRChudmFwKSAmJiBORlNWTk9fTk9UU0VUR0lEKG52
YXApKQogCQlnb3RvIG91dDsKLQlpZiAoKE5GU1ZOT19JU1NFVFVJRChudmFwKSAmJiBudmFwLT5u
YV91aWQgPT0gbmZzcnZfZGVmYXVsdHVpZCkKLQkgICAgfHwgKE5GU1ZOT19JU1NFVEdJRChudmFw
KSAmJiBudmFwLT5uYV9naWQgPT0gbmZzcnZfZGVmYXVsdGdpZCkpIHsKKwlpZiAoKE5GU1ZOT19J
U1NFVFVJRChudmFwKSAmJiBudmFwLT5uYV91aWQgPT0gbmZzcnZfZGVmYXVsdHVpZCAmJgorICAg
ICAgICAgICBlbmFibGVfbm9ib2R5Y2hlY2sgPT0gMSkKKwkgICAgfHwgKE5GU1ZOT19JU1NFVEdJ
RChudmFwKSAmJiBudmFwLT5uYV9naWQgPT0gbmZzcnZfZGVmYXVsdGdpZCAmJgorICAgICAgICAg
ICBlbmFibGVfbm9ncm91cGNoZWNrID09IDEpKSB7CiAJCWVycm9yID0gTkZTRVJSX0JBRE9XTkVS
OwogCQlnb3RvIG91dDsKIAl9Cg==
--047d7b6d96c4e2889505056cd5a1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOfEmZhFgx21qa3W_mx9%2B3ERT-_yU1gqJHxviUWXWTh8Dxnt1A>