Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 19 Jun 2010 16:23:47 +0100 (BST)
From:      Christopher Key <cjk32@cam.ac.uk>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   kern/147998: NFS -mapall group permissions ignored when -network is specified
Message-ID:  <201006191523.o5JFNlxr001598@chacal.wzl33>
Resent-Message-ID: <201006191530.o5JFU2gU075460@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         147998
>Category:       kern
>Synopsis:       NFS -mapall group permissions ignored when -network is specified
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun 19 15:30:02 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Christopher Key
>Release:        FreeBSD 8.0-RELEASE-p2 amd64
>Organization:
>Environment:
System: FreeBSD chacal.wzl33 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #2: Sat Jun 19 15:45:05 BST 2010 root@chacal.wzl33:/usr/obj/usr/src/sys/CHACAL amd64


	
>Description:
When -network (or any host restriction probably) is added to an nfs exports line, any group privileges for -mapall (and -maproot probably) get ignored.

     
>How-To-Repeat:
Outline steps, not actually tested.

mkdir /exports/dir
touch /exports/dir/file

chown u1:g1 /exports/dir /exports/dir/file
chmod 750 /exports/dir
chmod 640 /exports/dir/file

echo "/exports/dir -ro -mapall nobody:g1" > /etc/exports
kill -s HUP $(cat /var/run/mountd.pid)
# Can access /exports/dir/file via NFS

echo "/exports/dir -ro -mapall nobody:g1 --network 192.168.2.0/24" > /etc/exports
kill -s HUP $(cat /var/run/mountd.pid)
# Can't access /exports/dir/file via NFS


Further details in,
http://forums.freebsd.org/showthread.php?t=14493

	
>Fix:

	

--- vfs_export.c.patch begins here ---
Index: sys/kern/vfs_export.c
===================================================================
--- sys/kern/vfs_export.c	(revision 209341)
+++ sys/kern/vfs_export.c	(working copy)
@@ -208,7 +208,7 @@
 	np->netc_anon = crget();
 	np->netc_anon->cr_uid = argp->ex_anon.cr_uid;
 	crsetgroups(np->netc_anon, argp->ex_anon.cr_ngroups,
-	    np->netc_anon->cr_groups);
+	    argp->ex_anon.cr_groups);
 	np->netc_anon->cr_prison = &prison0;
 	prison_hold(np->netc_anon->cr_prison);
 	np->netc_numsecflavors = argp->ex_numsecflavors;
--- vfs_export.c.patch ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201006191523.o5JFNlxr001598>