Date: Tue, 14 Oct 2014 14:04:02 +0200 From: "Ronald Klop" <ronald-lists@klop.ws> To: =?iso-8859-15?Q?Lo=EFc_Blot?= <loic.blot@unix-experience.fr>, "Marcelo Araujo" <araujobsdport@gmail.com>, araujo@freebsd.org Cc: "freebsd-fs@freebsd.org" <freebsd-fs@freebsd.org> Subject: Re: [PATCH] disable nfsd (NFSv4) nobody/nogroup check Message-ID: <op.xnpyg0oxkndu52@ronaldradial.radialsg.local> In-Reply-To: <CAOfEmZjT5L-h6rBcNmeUZdsWVKq-ONP_Jf%2Btwky%2BpSQ8U6Csew@mail.gmail.com> References: <ccad8b9abb67b704e435accfc88513ea@mail.unix-experience.fr> <CAOfEmZjT5L-h6rBcNmeUZdsWVKq-ONP_Jf%2Btwky%2BpSQ8U6Csew@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I thought it is advised to make settings positively defined. So not use =
=
'disable =3D 1', but 'enable =3D 0'.
Ronald.
On Tue, 14 Oct 2014 12:46:25 +0200, Marcelo Araujo =
<araujobsdport@gmail.com> wrote:
> Hello Blot,
>
> The patch looks reasonable.
> As per the email thread, seems a good approach to overcome this issue,=
at
> least for now.
>
> If Rick has no objection and no free time, I can commit the patch duri=
ng
> this week.
>
> Best Regards,
>
> 2014-10-14 18:34 GMT+08:00 Lo=EFc Blot <loic.blot@unix-experience.fr>:=
>
>> Hi,
>> since a recent problem (see thread NFSv4 nobody issue), i think we =
>> need a
>> sysctl variable to disable nobody and nogroup check into the kernel
>> (default enabled)
>> This variable is useful in some situations, like TFTP over NFS, jail=
s
>> over NFS (some files like /var/db/locate.database need nobody user).
>>
>> I added vfs.nfsd.disable_nobodycheck and vfs.nfsd.disable_nogroupche=
ck =
>> to
>> modify NFSv4 nobody/nogroup check.
>>
>> Thanks to Rick to tell me where the problem was.
>>
>> Can you review the patch, and add it to kernel to avoid previous
>> mentionned issue.
>>
>> Here is my patch:
>>
>> --- sys/fs/nfsserver/nfs_nfsdsubs.c.orig 2014-10-14 =
>> 12:03:50.163311506
>> +0200
>> +++ sys/fs/nfsserver/nfs_nfsdsubs.c 2014-10-14 12:06:29.793304755=
=
>> +0200
>> @@ -62,9 +62,18 @@
>> SYSCTL_DECL(_vfs_nfsd);
>>
>> static int disable_checkutf8 =3D 0;
>> +static int disable_nobodycheck =3D 0;
>> +static int disable_nogroupcheck =3D 0;
>> SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_checkutf8, CTLFLAG_RW,
>> &disable_checkutf8, 0,
>> "Disable the NFSv4 check for a UTF8 compliant name");
>> +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nobodycheck, CTLFLAG_RW,
>> + &disable_nobodycheck, 0,
>> + "Disable the NFSv4 check when setting user nobody as owner");
>> +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nogroupcheck, CTLFLAG_RW,
>> + &disable_nogroupcheck, 0,
>> + "Disable the NFSv4 check when setting group nogroup as owner");=
>> +
>>
>> static char nfsrv_hexdigit(char, int *);
>>
>> @@ -1543,8 +1552,8 @@
>> */
>> if (NFSVNO_NOTSETUID(nvap) && NFSVNO_NOTSETGID(nvap))
>> goto out;
>> - if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid =3D=3D nfsrv_default=
uid)
>> - || (NFSVNO_ISSETGID(nvap) && nvap->na_gid =3D=3D =
>> nfsrv_defaultgid)) {
>> + if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid =3D=3D nfsrv_default=
uid &&
>> disable_nobodycheck =3D=3D 0)
>> + || (NFSVNO_ISSETGID(nvap) && nvap->na_gid =3D=3D nfsrv_defa=
ultgid =
>> &&
>> disable_nogroupcheck =3D=3D 0)) {
>> error =3D NFSERR_BADOWNER;
>> goto out;
>> }
>> Regards,
>>
>> Lo=EFc Blot,
>> UNIX Systems, Network and Security Engineer
>> http://www.unix-experience.fr
>> _______________________________________________
>> freebsd-fs@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-fs
>> To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org"=
>
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.xnpyg0oxkndu52>