From owner-freebsd-fs@FreeBSD.ORG  Wed Oct 15 02:24:48 2014
Return-Path: <owner-freebsd-fs@FreeBSD.ORG>
Delivered-To: freebsd-fs@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id C1802FF5
 for <freebsd-fs@freebsd.org>; Wed, 15 Oct 2014 02:24:48 +0000 (UTC)
Received: from mail-wg0-x22b.google.com (mail-wg0-x22b.google.com
 [IPv6:2a00:1450:400c:c00::22b])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 45B2DA46
 for <freebsd-fs@freebsd.org>; Wed, 15 Oct 2014 02:24:48 +0000 (UTC)
Received: by mail-wg0-f43.google.com with SMTP id m15so280512wgh.26
 for <freebsd-fs@freebsd.org>; Tue, 14 Oct 2014 19:24:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:reply-to:in-reply-to:references:date:message-id
 :subject:from:to:cc:content-type;
 bh=n2JrRl+k2/5WpfNQ/on/IuAoQw3z6SE5Dz7TRSDCUo8=;
 b=zBcSAZvHdyo59+R3dJXvOCfr33ekmcB8WFeZTtJgWy9gYrEg3xgClMZvwbHMEB+jRF
 nRV+IifccAg04Mbi+DlS/ejqijFvLKxSJ48dDonci4aRyGIqMkkjXvEEjglHGLPQOcqw
 vG41H6ovt16mnxBrtR+jPS9IUS94a30RDsvsYE+axyAQIFNS8t3ooaAe3Su4XTu5ER+F
 WWZXn4MDfSyMSZtoS+anSOfljtZCOdel6Jvi7F0FZWg0lFdcDqROXyLF6Nxt+Ol7obtA
 /nWnmTPHfwl/2Qxe/pjW7knZ66y7cjJsroZZnp1K5iWO1wScsy3WBSdlLGMemSmzqK3c
 nq7A==
MIME-Version: 1.0
X-Received: by 10.194.108.104 with SMTP id hj8mr9197677wjb.28.1413339886542;
 Tue, 14 Oct 2014 19:24:46 -0700 (PDT)
Received: by 10.216.159.193 with HTTP; Tue, 14 Oct 2014 19:24:46 -0700 (PDT)
Reply-To: araujo@FreeBSD.org
In-Reply-To: <CAOfEmZhbAvC26j-sx3A9sLcr_mc1Z3KNv_+YAgJV0M5hvSdnQw@mail.gmail.com>
References: <op.xnpyg0oxkndu52@ronaldradial.radialsg.local>
 <2111556765.63849821.1413288573994.JavaMail.root@uoguelph.ca>
 <CAOfEmZhbAvC26j-sx3A9sLcr_mc1Z3KNv_+YAgJV0M5hvSdnQw@mail.gmail.com>
Date: Wed, 15 Oct 2014 10:24:46 +0800
Message-ID: <CAOfEmZhFgx21qa3W_mx9+3ERT-_yU1gqJHxviUWXWTh8Dxnt1A@mail.gmail.com>
Subject: Re: [PATCH] disable nfsd (NFSv4) nobody/nogroup check
From: Marcelo Araujo <araujobsdport@gmail.com>
To: Rick Macklem <rmacklem@uoguelph.ca>
Content-Type: multipart/mixed; boundary=047d7b6d96c4e2889505056cd5a1
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
Cc: "freebsd-fs@freebsd.org" <freebsd-fs@freebsd.org>
X-BeenThere: freebsd-fs@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-fs/>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Help: <mailto:freebsd-fs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Oct 2014 02:24:48 -0000

--047d7b6d96c4e2889505056cd5a1
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hello Ronald and Blot,

Here is the patch with a small rework. I consider Ronaldo's comments as
well as I just change a bit the code style.

If you guys agree with the patch, I will commit it today.

Note: About the disable_utf8 that Rick has mention, I will rework that part
later to make it as enable_utf8 instead of disable_utf8.

Best Regards,

2014-10-14 20:12 GMT+08:00 Marcelo Araujo <araujobsdport@gmail.com>:

> Hello All,
>
> Before I commit it, I will double check what is the best way.
> Thanks Ronald to point it out.
>
> Best Regards,
>
> 2014-10-14 20:09 GMT+08:00 Rick Macklem <rmacklem@uoguelph.ca>:
>
>> Ronald Klop wrote:
>> > I thought it is advised to make settings positively defined. So not
>> > use
>> > 'disable =3D 1', but 'enable =3D 0'.
>> >
>> For the case of disable_utf8, I made it negative, since disabling the
>> check violates RFC-3530. For these checks, there isn't anything in the
>> RFC requiring the check AFAIK, so I personally don't care which way they
>> are done. (If the default is disabling the check that could be a minor
>> POLA
>> violation.)
>>
>> So, you guys choose whichever you prefer to commit, rick
>>
>> > Ronald.
>> >
>> >
>> > On Tue, 14 Oct 2014 12:46:25 +0200, Marcelo Araujo
>> > <araujobsdport@gmail.com> wrote:
>> >
>> > > Hello Blot,
>> > >
>> > > The patch looks reasonable.
>> > > As per the email thread, seems a good approach to overcome this
>> > > issue, at
>> > > least for now.
>> > >
>> > > If Rick has no objection and no free time, I can commit the patch
>> > > during
>> > > this week.
>> > >
>> > > Best Regards,
>> > >
>> > > 2014-10-14 18:34 GMT+08:00 Lo=C3=AFc Blot
>> > > <loic.blot@unix-experience.fr>:
>> > >
>> > >> Hi,
>> > >>  since a recent problem (see thread NFSv4 nobody issue), i think
>> > >>  we
>> > >> need a
>> > >> sysctl variable to disable nobody and nogroup check into the
>> > >> kernel
>> > >> (default enabled)
>> > >>  This variable is useful in some situations, like TFTP over NFS,
>> > >>  jails
>> > >> over NFS (some files like /var/db/locate.database need nobody
>> > >> user).
>> > >>
>> > >>  I added vfs.nfsd.disable_nobodycheck and
>> > >>  vfs.nfsd.disable_nogroupcheck
>> > >> to
>> > >> modify NFSv4 nobody/nogroup check.
>> > >>
>> > >>  Thanks to Rick to tell me where the problem was.
>> > >>
>> > >>  Can you review the patch, and add it to kernel to avoid previous
>> > >> mentionned issue.
>> > >>
>> > >>  Here is my patch:
>> > >>
>> > >>  --- sys/fs/nfsserver/nfs_nfsdsubs.c.orig    2014-10-14
>> > >> 12:03:50.163311506
>> > >> +0200
>> > >>  +++ sys/fs/nfsserver/nfs_nfsdsubs.c    2014-10-14
>> > >>  12:06:29.793304755
>> > >> +0200
>> > >>  @@ -62,9 +62,18 @@
>> > >>   SYSCTL_DECL(_vfs_nfsd);
>> > >>
>> > >>   static int    disable_checkutf8 =3D 0;
>> > >>  +static int    disable_nobodycheck =3D 0;
>> > >>  +static int    disable_nogroupcheck =3D 0;
>> > >>   SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_checkutf8, CTLFLAG_RW,
>> > >>       &disable_checkutf8, 0,
>> > >>       "Disable the NFSv4 check for a UTF8 compliant name");
>> > >>  +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nobodycheck, CTLFLAG_RW,
>> > >>  +    &disable_nobodycheck, 0,
>> > >>  +    "Disable the NFSv4 check when setting user nobody as
>> > >>  owner");
>> > >>  +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nogroupcheck,
>> > >>  CTLFLAG_RW,
>> > >>  +    &disable_nogroupcheck, 0,
>> > >>  +    "Disable the NFSv4 check when setting group nogroup as
>> > >>  owner");
>> > >>  +
>> > >>
>> > >>   static char nfsrv_hexdigit(char, int *);
>> > >>
>> > >>  @@ -1543,8 +1552,8 @@
>> > >>        */
>> > >>       if (NFSVNO_NOTSETUID(nvap) && NFSVNO_NOTSETGID(nvap))
>> > >>           goto out;
>> > >>  -    if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid =3D=3D
>> > >>  nfsrv_defaultuid)
>> > >>  -        || (NFSVNO_ISSETGID(nvap) && nvap->na_gid =3D=3D
>> > >> nfsrv_defaultgid)) {
>> > >>  +    if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid =3D=3D
>> > >>  nfsrv_defaultuid &&
>> > >> disable_nobodycheck =3D=3D 0)
>> > >>  +        || (NFSVNO_ISSETGID(nvap) && nvap->na_gid =3D=3D
>> > >>  nfsrv_defaultgid
>> > >> &&
>> > >> disable_nogroupcheck =3D=3D 0)) {
>> > >>           error =3D NFSERR_BADOWNER;
>> > >>           goto out;
>> > >>       }
>> > >>  Regards,
>> > >>
>> > >>  Lo=C3=AFc Blot,
>> > >>  UNIX Systems, Network and Security Engineer
>> > >>  http://www.unix-experience.fr
>> > >> _______________________________________________
>> > >> freebsd-fs@freebsd.org mailing list
>> > >> http://lists.freebsd.org/mailman/listinfo/freebsd-fs
>> > >> To unsubscribe, send any mail to
>> > >> "freebsd-fs-unsubscribe@freebsd.org"
>> > >
>> > >
>> > >
>> > _______________________________________________
>> > freebsd-fs@freebsd.org mailing list
>> > http://lists.freebsd.org/mailman/listinfo/freebsd-fs
>> > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org"
>> >
>>
>
>
>
> --
>
> --
> Marcelo Araujo            (__)araujo@FreeBSD.org     \\\'',)http://www.Fr=
eeBSD.org <http://www.freebsd.org/>   \/  \ ^
> Power To Server.         .\. /_)
>
>


--=20

--=20
Marcelo Araujo            (__)araujo@FreeBSD.org
\\\'',)http://www.FreeBSD.org <http://www.freebsd.org/>   \/  \ ^
Power To Server.         .\. /_)

--047d7b6d96c4e2889505056cd5a1
Content-Type: application/octet-stream; name="nfs-nogroup-user.patch"
Content-Disposition: attachment; filename="nfs-nogroup-user.patch"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_i1a2199h0

SW5kZXg6IHN5cy9mcy9uZnNzZXJ2ZXIvbmZzX25mc2RzdWJzLmMKPT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gc3lz
L2ZzL25mc3NlcnZlci9uZnNfbmZzZHN1YnMuYwkocmV2aXNpb24gMjczMTEyKQorKysgc3lzL2Zz
L25mc3NlcnZlci9uZnNfbmZzZHN1YnMuYwkod29ya2luZyBjb3B5KQpAQCAtNjYsNiArNjYsMTYg
QEAKICAgICAmZGlzYWJsZV9jaGVja3V0ZjgsIDAsCiAgICAgIkRpc2FibGUgdGhlIE5GU3Y0IGNo
ZWNrIGZvciBhIFVURjggY29tcGxpYW50IG5hbWUiKTsKIAorc3RhdGljIGludCAgICBlbmFibGVf
bm9ib2R5Y2hlY2sgPSAxOworU1lTQ1RMX0lOVChfdmZzX25mc2QsIE9JRF9BVVRPLCBlbmFibGVf
bm9ib2R5Y2hlY2ssIENUTEZMQUdfUlcsCisgICAgJmVuYWJsZV9ub2JvZHljaGVjaywgMCwKKyAg
ICAiRW5hYmxlIHRoZSBORlN2NCBjaGVjayB3aGVuIHNldHRpbmcgdXNlciBub2JvZHkgYXMgb3du
ZXIiKTsKKworc3RhdGljIGludCAgICBlbmFibGVfbm9ncm91cGNoZWNrID0gMTsKK1NZU0NUTF9J
TlQoX3Zmc19uZnNkLCBPSURfQVVUTywgZW5hYmxlX25vZ3JvdXBjaGVjaywgQ1RMRkxBR19SVywK
KyAgICAmZW5hYmxlX25vZ3JvdXBjaGVjaywgMCwKKyAgICAiRW5hYmxlIHRoZSBORlN2NCBjaGVj
ayB3aGVuIHNldHRpbmcgZ3JvdXAgbm9ncm91cCBhcyBvd25lciIpOworCiBzdGF0aWMgY2hhciBu
ZnNydl9oZXhkaWdpdChjaGFyLCBpbnQgKik7CiAKIC8qCkBAIC0xNTQzLDggKzE1NTMsMTAgQEAK
IAkgKi8KIAlpZiAoTkZTVk5PX05PVFNFVFVJRChudmFwKSAmJiBORlNWTk9fTk9UU0VUR0lEKG52
YXApKQogCQlnb3RvIG91dDsKLQlpZiAoKE5GU1ZOT19JU1NFVFVJRChudmFwKSAmJiBudmFwLT5u
YV91aWQgPT0gbmZzcnZfZGVmYXVsdHVpZCkKLQkgICAgfHwgKE5GU1ZOT19JU1NFVEdJRChudmFw
KSAmJiBudmFwLT5uYV9naWQgPT0gbmZzcnZfZGVmYXVsdGdpZCkpIHsKKwlpZiAoKE5GU1ZOT19J
U1NFVFVJRChudmFwKSAmJiBudmFwLT5uYV91aWQgPT0gbmZzcnZfZGVmYXVsdHVpZCAmJgorICAg
ICAgICAgICBlbmFibGVfbm9ib2R5Y2hlY2sgPT0gMSkKKwkgICAgfHwgKE5GU1ZOT19JU1NFVEdJ
RChudmFwKSAmJiBudmFwLT5uYV9naWQgPT0gbmZzcnZfZGVmYXVsdGdpZCAmJgorICAgICAgICAg
ICBlbmFibGVfbm9ncm91cGNoZWNrID09IDEpKSB7CiAJCWVycm9yID0gTkZTRVJSX0JBRE9XTkVS
OwogCQlnb3RvIG91dDsKIAl9Cg==
--047d7b6d96c4e2889505056cd5a1--