Date: Wed, 15 Oct 2014 07:21:19 +0000 From: "=?utf-8?B?TG/Dr2MgQmxvdA==?=" <loic.blot@unix-experience.fr> To: araujo@freebsd.org, "Rick Macklem" <rmacklem@uoguelph.ca> Cc: freebsd-fs@freebsd.org Subject: Re: [PATCH] disable nfsd (NFSv4) nobody/nogroup check Message-ID: <345e74ad56f643496a0fa158dda30733@mail.unix-experience.fr> In-Reply-To: <CAOfEmZhFgx21qa3W_mx9%2B3ERT-_yU1gqJHxviUWXWTh8Dxnt1A@mail.gmail.com> References: <CAOfEmZhFgx21qa3W_mx9%2B3ERT-_yU1gqJHxviUWXWTh8Dxnt1A@mail.gmail.com> <op.xnpyg0oxkndu52@ronaldradial.radialsg.local> <2111556765.63849821.1413288573994.JavaMail.root@uoguelph.ca> <CAOfEmZhbAvC26j-sx3A9sLcr_mc1Z3KNv_%2BYAgJV0M5hvSdnQw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,=0A i agree, thanks for your rework !=0A=0A Regards,=0A=0A Lo=C3=AFc B= lot,=0A UNIX Systems, Network and Security Engineer=0A http://www.unix-ex= perience.fr=0A 15 octobre 2014 04:24 "Marcelo Araujo" a =C3=A9crit: =0A= =0A =C2=A0 =0A Hello Ronald and Blot, =0A=C2=A0 =0AHere is the patch with= a small rework. I consider Ronaldo's comments as well as I just change a= bit the code style. =0A=C2=A0 =0AIf you guys agree with the patch, I wil= l commit it today. =0A=C2=A0 =0ANote: About the=C2=A0disable_utf8 that R= ick has mention, I will rework that part later to make it as enable_utf8 = instead of disable_utf8. =0A=C2=A0 =0ABest Regards, =0A=C2=A0 =0A2014-10= -14 20:12 GMT+08:00 Marcelo Araujo :=0A=0A =C2=A0 Hello All, =0A=C2=A0 = =0ABefore I commit it, I will double check what is the best way. =0AThank= s Ronald to point it out. =0A=C2=A0 =0ABest Regards, =0A=C2=A0 =0A2014-1= 0-14 20:09 GMT+08:00 Rick Macklem : Ronald Klop wrote:=0A > I thought it = is advised to make settings positively defined. So not=0A > use=0A > 'dis= able =3D 1', but 'enable =3D 0'.=0A >=0A For the case of disable_utf8, I = made it negative, since disabling the=0A check violates RFC-3530. For the= se checks, there isn't anything in the=0A RFC requiring the check AFAIK, = so I personally don't care which way they=0A are done. (If the default is= disabling the check that could be a minor POLA=0A violation.)=0A=0A So, = you guys choose whichever you prefer to commit, rick =0A > Ronald.=0A >= =0A >=0A > On Tue, 14 Oct 2014 12:46:25 +0200, Marcelo Araujo=0A > wrote= :=0A >=0A > > Hello Blot,=0A > >=0A > > The patch looks reasonable.=0A > = > As per the email thread, seems a good approach to overcome this=0A > > = issue, at=0A > > least for now.=0A > >=0A > > If Rick has no objection an= d no free time, I can commit the patch=0A > > during=0A > > this week.=0A= > >=0A > > Best Regards,=0A > >=0A > > 2014-10-14 18:34 GMT+08:00 Lo=C3= =AFc Blot=0A > > :=0A > >=0A > >> Hi,=0A > >>=C2=A0 since a recent proble= m (see thread NFSv4 nobody issue), i think=0A > >>=C2=A0 we=0A > >> need = a=0A > >> sysctl variable to disable nobody and nogroup check into the=0A= > >> kernel=0A > >> (default enabled)=0A > >>=C2=A0 This variable is use= ful in some situations, like TFTP over NFS,=0A > >>=C2=A0 jails=0A > >> o= ver NFS (some files like /var/db/locate.database need nobody=0A > >> user= ).=0A > >>=0A > >>=C2=A0 I added vfs.nfsd.disable_nobodycheck and=0A > >>= =C2=A0 vfs.nfsd.disable_nogroupcheck=0A > >> to=0A > >> modify NFSv4 nobo= dy/nogroup check.=0A > >>=0A > >>=C2=A0 Thanks to Rick to tell me where t= he problem was.=0A > >>=0A > >>=C2=A0 Can you review the patch, and add i= t to kernel to avoid previous=0A > >> mentionned issue.=0A > >>=0A > >>= =C2=A0 Here is my patch:=0A > >>=0A > >>=C2=A0 --- sys/fs/nfsserver/nfs_n= fsdsubs.c.orig=C2=A0 =C2=A0 2014-10-14=0A > >> 12:03:50.163311506=0A > >>= +0200=0A > >>=C2=A0 +++ sys/fs/nfsserver/nfs_nfsdsubs.c=C2=A0 =C2=A0 201= 4-10-14=0A > >>=C2=A0 12:06:29.793304755=0A > >> +0200=0A > >>=C2=A0 @@ -= 62,9 +62,18 @@=0A > >>=C2=A0 =C2=A0SYSCTL_DECL(_vfs_nfsd);=0A > >>=0A > >= >=C2=A0 =C2=A0static int=C2=A0 =C2=A0 disable_checkutf8 =3D 0;=0A > >>=C2= =A0 +static int=C2=A0 =C2=A0 disable_nobodycheck =3D 0;=0A > >>=C2=A0 +st= atic int=C2=A0 =C2=A0 disable_nogroupcheck =3D 0;=0A > >>=C2=A0 =C2=A0SYS= CTL_INT(_vfs_nfsd, OID_AUTO, disable_checkutf8, CTLFLAG_RW,=0A > >>=C2=A0= =C2=A0 =C2=A0 =C2=A0&disable_checkutf8, 0,=0A > >>=C2=A0 =C2=A0 =C2=A0 = =C2=A0"Disable the NFSv4 check for a UTF8 compliant name");=0A > >>=C2=A0= +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nobodycheck, CTLFLAG_RW,=0A > >= >=C2=A0 +=C2=A0 =C2=A0 &disable_nobodycheck, 0,=0A > >>=C2=A0 +=C2=A0 =C2= =A0 "Disable the NFSv4 check when setting user nobody as=0A > >>=C2=A0 ow= ner");=0A > >>=C2=A0 +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nogroupchec= k,=0A > >>=C2=A0 CTLFLAG_RW,=0A > >>=C2=A0 +=C2=A0 =C2=A0 &disable_nogrou= pcheck, 0,=0A > >>=C2=A0 +=C2=A0 =C2=A0 "Disable the NFSv4 check when set= ting group nogroup as=0A > >>=C2=A0 owner");=0A > >>=C2=A0 +=0A > >>=0A >= >>=C2=A0 =C2=A0static char nfsrv_hexdigit(char, int *);=0A > >>=0A > >>= =C2=A0 @@ -1543,8 +1552,8 @@=0A > >>=C2=A0 =C2=A0 =C2=A0 =C2=A0 */=0A > >= >=C2=A0 =C2=A0 =C2=A0 =C2=A0if (NFSVNO_NOTSETUID(nvap) && NFSVNO_NOTSETGI= D(nvap))=0A > >>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0goto out;=0A > >= >=C2=A0 -=C2=A0 =C2=A0 if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid =3D=3D= =0A > >>=C2=A0 nfsrv_defaultuid)=0A > >>=C2=A0 -=C2=A0 =C2=A0 =C2=A0 =C2= =A0 || (NFSVNO_ISSETGID(nvap) && nvap->na_gid =3D=3D=0A > >> nfsrv_defaul= tgid)) {=0A > >>=C2=A0 +=C2=A0 =C2=A0 if ((NFSVNO_ISSETUID(nvap) && nvap-= >na_uid =3D=3D=0A > >>=C2=A0 nfsrv_defaultuid &&=0A > >> disable_nobodych= eck =3D=3D 0)=0A > >>=C2=A0 +=C2=A0 =C2=A0 =C2=A0 =C2=A0 || (NFSVNO_ISSET= GID(nvap) && nvap->na_gid =3D=3D=0A > >>=C2=A0 nfsrv_defaultgid=0A > >> &= &=0A > >> disable_nogroupcheck =3D=3D 0)) {=0A > >>=C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0error =3D NFSERR_BADOWNER;=0A > >>=C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0goto out;=0A > >>=C2=A0 =C2=A0 =C2=A0 =C2=A0}=0A = > >>=C2=A0 Regards,=0A > >>=0A > >>=C2=A0 Lo=C3=AFc Blot,=0A > >>=C2=A0 U= NIX Systems, Network and Security Engineer=0A > >>=C2=A0 http://www.unix-= experience.fr (http://www.unix-experience.fr)=0A > >> ___________________= ____________________________=0A > >> freebsd-fs@freebsd.org (mailto:freeb= sd-fs@freebsd.org) mailing list=0A > >> http://lists.freebsd.org/mailman/= listinfo/freebsd-fs (http://lists.freebsd.org/mailman/listinfo/freebsd-fs= )=0A > >> To unsubscribe, send any mail to=0A > >> "freebsd-fs-unsubscrib= e@freebsd.org (mailto:freebsd-fs-unsubscribe@freebsd.org)"=0A > >=0A > >= =0A > >=0A > _______________________________________________=0A > freebsd= -fs@freebsd.org (mailto:freebsd-fs@freebsd.org) mailing list=0A > http://= lists.freebsd.org/mailman/listinfo/freebsd-fs (http://lists.freebsd.org/m= ailman/listinfo/freebsd-fs)=0A > To unsubscribe, send any mail to "freebs= d-fs-unsubscribe@freebsd.org (mailto:freebsd-fs-unsubscribe@freebsd.org)"= =0A > =C2=A0 =0A=C2=A0 -- =0A=C2=A0 =0A -- Marcelo Araujo (__) ar= aujo@FreeBSD.org (mailto:araujo@FreeBSD.org) \'',) http://www.FreeBSD.org= (http://www.freebsd.org/) / ^ Power To Server. .. /_) =C2=A0 =0A= =C2=A0 -- =0A=C2=A0 =0A -- Marcelo Araujo (__) araujo@FreeBSD.org (mail= to:araujo@FreeBSD.org) \'',) http://www.FreeBSD.org (http://www.freebsd.o= rg/) / ^ Power To Server. .. /_) =0A=0A =C2=A0
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?345e74ad56f643496a0fa158dda30733>