From owner-freebsd-fs@FreeBSD.ORG  Tue Oct 14 12:12:13 2014
Return-Path: <owner-freebsd-fs@FreeBSD.ORG>
Delivered-To: freebsd-fs@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 73BEC4D4
 for <freebsd-fs@freebsd.org>; Tue, 14 Oct 2014 12:12:13 +0000 (UTC)
Received: from mail-wg0-x22b.google.com (mail-wg0-x22b.google.com
 [IPv6:2a00:1450:400c:c00::22b])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id F1F7B33B
 for <freebsd-fs@freebsd.org>; Tue, 14 Oct 2014 12:12:12 +0000 (UTC)
Received: by mail-wg0-f43.google.com with SMTP id m15so10567045wgh.2
 for <freebsd-fs@freebsd.org>; Tue, 14 Oct 2014 05:12:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:reply-to:in-reply-to:references:date:message-id
 :subject:from:to:cc:content-type;
 bh=1A2DPgNpna61FibdyIC1rPVdIbcTZJCxv+lT194sUO0=;
 b=BMpenL9qedEmj/Gq8RTzlYFfzDBBPMA/urk7e3ZvLY0YV597sFFZU08KNesd0L6YaW
 ykC0ePA2bysoNRw1vMRdOgOkY49SGVMgjNHDLr/XFWMvGHBFpnUim1tNJY5GBwYhrjKe
 gepXkXEaalWFH6DS3QqVVZY9dbC3BdNrePuvZjZp9pn1V1givcoE09XVwPoZ18B1fuUf
 TyEc/dxOmuJiWF0LruqEZPV3pGs3fFvJwI59gSdCennpAjcQEhAjqPuTedMYCVUQjby8
 Tec3T82ykoqH6OiUXh4G73uhZAzDIxJi1hK/zR8cQNiBdDQXOzbsDybDzze/fJTzmd/F
 eB4w==
MIME-Version: 1.0
X-Received: by 10.180.101.200 with SMTP id fi8mr4901662wib.77.1413288731133;
 Tue, 14 Oct 2014 05:12:11 -0700 (PDT)
Received: by 10.216.159.193 with HTTP; Tue, 14 Oct 2014 05:12:11 -0700 (PDT)
Reply-To: araujo@FreeBSD.org
In-Reply-To: <2111556765.63849821.1413288573994.JavaMail.root@uoguelph.ca>
References: <op.xnpyg0oxkndu52@ronaldradial.radialsg.local>
 <2111556765.63849821.1413288573994.JavaMail.root@uoguelph.ca>
Date: Tue, 14 Oct 2014 20:12:11 +0800
Message-ID: <CAOfEmZhbAvC26j-sx3A9sLcr_mc1Z3KNv_+YAgJV0M5hvSdnQw@mail.gmail.com>
Subject: Re: [PATCH] disable nfsd (NFSv4) nobody/nogroup check
From: Marcelo Araujo <araujobsdport@gmail.com>
To: Rick Macklem <rmacklem@uoguelph.ca>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
Cc: "freebsd-fs@freebsd.org" <freebsd-fs@freebsd.org>
X-BeenThere: freebsd-fs@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-fs/>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Help: <mailto:freebsd-fs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Oct 2014 12:12:13 -0000

Hello All,

Before I commit it, I will double check what is the best way.
Thanks Ronald to point it out.

Best Regards,

2014-10-14 20:09 GMT+08:00 Rick Macklem <rmacklem@uoguelph.ca>:

> Ronald Klop wrote:
> > I thought it is advised to make settings positively defined. So not
> > use
> > 'disable =3D 1', but 'enable =3D 0'.
> >
> For the case of disable_utf8, I made it negative, since disabling the
> check violates RFC-3530. For these checks, there isn't anything in the
> RFC requiring the check AFAIK, so I personally don't care which way they
> are done. (If the default is disabling the check that could be a minor PO=
LA
> violation.)
>
> So, you guys choose whichever you prefer to commit, rick
>
> > Ronald.
> >
> >
> > On Tue, 14 Oct 2014 12:46:25 +0200, Marcelo Araujo
> > <araujobsdport@gmail.com> wrote:
> >
> > > Hello Blot,
> > >
> > > The patch looks reasonable.
> > > As per the email thread, seems a good approach to overcome this
> > > issue, at
> > > least for now.
> > >
> > > If Rick has no objection and no free time, I can commit the patch
> > > during
> > > this week.
> > >
> > > Best Regards,
> > >
> > > 2014-10-14 18:34 GMT+08:00 Lo=C3=AFc Blot
> > > <loic.blot@unix-experience.fr>:
> > >
> > >> Hi,
> > >>  since a recent problem (see thread NFSv4 nobody issue), i think
> > >>  we
> > >> need a
> > >> sysctl variable to disable nobody and nogroup check into the
> > >> kernel
> > >> (default enabled)
> > >>  This variable is useful in some situations, like TFTP over NFS,
> > >>  jails
> > >> over NFS (some files like /var/db/locate.database need nobody
> > >> user).
> > >>
> > >>  I added vfs.nfsd.disable_nobodycheck and
> > >>  vfs.nfsd.disable_nogroupcheck
> > >> to
> > >> modify NFSv4 nobody/nogroup check.
> > >>
> > >>  Thanks to Rick to tell me where the problem was.
> > >>
> > >>  Can you review the patch, and add it to kernel to avoid previous
> > >> mentionned issue.
> > >>
> > >>  Here is my patch:
> > >>
> > >>  --- sys/fs/nfsserver/nfs_nfsdsubs.c.orig    2014-10-14
> > >> 12:03:50.163311506
> > >> +0200
> > >>  +++ sys/fs/nfsserver/nfs_nfsdsubs.c    2014-10-14
> > >>  12:06:29.793304755
> > >> +0200
> > >>  @@ -62,9 +62,18 @@
> > >>   SYSCTL_DECL(_vfs_nfsd);
> > >>
> > >>   static int    disable_checkutf8 =3D 0;
> > >>  +static int    disable_nobodycheck =3D 0;
> > >>  +static int    disable_nogroupcheck =3D 0;
> > >>   SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_checkutf8, CTLFLAG_RW,
> > >>       &disable_checkutf8, 0,
> > >>       "Disable the NFSv4 check for a UTF8 compliant name");
> > >>  +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nobodycheck, CTLFLAG_RW,
> > >>  +    &disable_nobodycheck, 0,
> > >>  +    "Disable the NFSv4 check when setting user nobody as
> > >>  owner");
> > >>  +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nogroupcheck,
> > >>  CTLFLAG_RW,
> > >>  +    &disable_nogroupcheck, 0,
> > >>  +    "Disable the NFSv4 check when setting group nogroup as
> > >>  owner");
> > >>  +
> > >>
> > >>   static char nfsrv_hexdigit(char, int *);
> > >>
> > >>  @@ -1543,8 +1552,8 @@
> > >>        */
> > >>       if (NFSVNO_NOTSETUID(nvap) && NFSVNO_NOTSETGID(nvap))
> > >>           goto out;
> > >>  -    if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid =3D=3D
> > >>  nfsrv_defaultuid)
> > >>  -        || (NFSVNO_ISSETGID(nvap) && nvap->na_gid =3D=3D
> > >> nfsrv_defaultgid)) {
> > >>  +    if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid =3D=3D
> > >>  nfsrv_defaultuid &&
> > >> disable_nobodycheck =3D=3D 0)
> > >>  +        || (NFSVNO_ISSETGID(nvap) && nvap->na_gid =3D=3D
> > >>  nfsrv_defaultgid
> > >> &&
> > >> disable_nogroupcheck =3D=3D 0)) {
> > >>           error =3D NFSERR_BADOWNER;
> > >>           goto out;
> > >>       }
> > >>  Regards,
> > >>
> > >>  Lo=C3=AFc Blot,
> > >>  UNIX Systems, Network and Security Engineer
> > >>  http://www.unix-experience.fr
> > >> _______________________________________________
> > >> freebsd-fs@freebsd.org mailing list
> > >> http://lists.freebsd.org/mailman/listinfo/freebsd-fs
> > >> To unsubscribe, send any mail to
> > >> "freebsd-fs-unsubscribe@freebsd.org"
> > >
> > >
> > >
> > _______________________________________________
> > freebsd-fs@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-fs
> > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org"
> >
>



--=20

--=20
Marcelo Araujo            (__)araujo@FreeBSD.org
\\\'',)http://www.FreeBSD.org <http://www.freebsd.org/>   \/  \ ^
Power To Server.         .\. /_)