Date: Tue, 25 Aug 2015 18:36:26 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 202659] rpcsec_gss has a 16-group limit Message-ID: <bug-202659-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202659 Bug ID: 202659 Summary: rpcsec_gss has a 16-group limit Product: Base System Version: 10.2-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: matthew.l.dailey@dartmouth.edu Created attachment 160354 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=160354&action=edit Patch for svc_rpcsec_gss to switch from RPCAUTH_UNIXGIDS to NGROUPS System: FreeBSD freebsd-test 10.2-RELEASE FreeBSD 10.2-RELEASE #1: Fri Aug 21 11:12:07 EDT 2015 root@freebsd-test.thayer.dartmouth.edu:/usr/obj/usr/src/sys/GENERIC_GSS amd64 I have observed this issue as far back as 9.1-RELEASE. Overview: The kernel code for svc_rpcsec_gss and the userspace code for gssd implement a 16-group limit for users. Steps to reproduce: The first step is to have a working FreeBSD nfs4 server tied into a kerberos infrastructure and exporting directories with one of the krb5 security flavors The FreeBSD nfs4 server requires a kernel built with: options KGSSAPI device crypto Here is the simple /etc/exports on the server: V4: /exports -sec=krb5:krb5i /exports -sec=krb5 Add a user to more than 16 groups on the nfs4 server: # groups testuser staff group1 group2 group3 group4 group5 group6 group7 group8 group9 group10 group11 group12 group13 group14 group15 group16 Set permissions on an exported directory for the 17th or higher group # ls -ld /exports/group16 drwxrwxr-x 2 root group16 3 Aug 21 13:08 /exports/group16 Try to access this directory as this user from a remote client # mount -t nfs4 -osec=krb5,nosuid freebsd-test:/ /mnt/exports $ touch /mnt/exports/group16/testfile touch: cannot touch `/mnt/exports/group16/testfile`: Permission denied Directories with permissions for the 16th and under groups work: server# ls -ld /exports/group15 drwxrwxr-x 2 root group15 3 Aug 21 10:29 /exports/group15 client$ touch /mnt/exports/group15/testfile client$ ls -al /mnt/exports/group15/testfile -rw-r--r-- 1 testuser group15 0 Aug 21 10:29 /mnt/exports/group15/testfile Problem description: This problem appears to come from defines in both sys/rpc/rpcsec_gss/svc_rpcsec_gss.c and usr.sbin/gssd/gssd.c In sys/rpc/rpcsec_gss/svc_rpcsec_gss.c, the group limit is defined using RPCAUTH_UNIXGIDS. It looks like this may have originally come from sys/fs/nfs/rpc2.h, but I don't think this is included by the code, so RPCAUTH_UNIXGIDS is defined locally. In usr.sbin/gssd/gssd.c, the group limit is defined using NGRPS. This comes ultimately from sys/rpc/auth_unix.h, which is included in gssd.c from sys/rpc/rpc.h. Proposed solution: In both cases, I would propose that this be fixed by using the NGROUPS definition from sys/sys/param.h instead of the existing definitions. This will not only lift the current 16-group limit, but allow the code to track future increases in this value. There was previously a buffer issue in gssd that prevented this increase, but this was fixed in May 2013 in base r250176. We have been running a production system (originally 9.1-RELEASE, upgraded to 9.3-RELEASE in March 2015) where I raised the limit in both svc_rpcsec_gss.c and gssd.c to 256 groups. This has been running since May 2013 without any problems. I have also tested these exact patches on a 10.2-RELEASE system, and experienced no problems in limited testing. Attached are my proposed patches. Please let me know if you have any questions or need any other information about these patches. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-202659-8>