From owner-freebsd-fs@FreeBSD.ORG  Tue Oct 14 12:01:53 2014
Return-Path: <owner-freebsd-fs@FreeBSD.ORG>
Delivered-To: freebsd-fs@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 880AD15D;
 Tue, 14 Oct 2014 12:01:53 +0000 (UTC)
Received: from esa-annu.net.uoguelph.ca (esa-annu.mail.uoguelph.ca
 [131.104.91.36]) by mx1.freebsd.org (Postfix) with ESMTP id 1E904206;
 Tue, 14 Oct 2014 12:01:52 +0000 (UTC)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AqoEANAPPVSDaFve/2dsb2JhbABbg2FYBIMCySIKhnlUAoErAX2EAgEBAQMBAQEBIAQnIAsbGAICDRkCKQEJJg4HBAEIFASIFQgNsH2VEgEBAQEGAQEBAQEdgSyONxACAQEaNAeCNkESgUIFljuEDIRulCeEEyEvB4FBgQIBAQE
X-IronPort-AV: E=Sophos;i="5.04,716,1406606400"; d="scan'208";a="161074542"
Received: from muskoka.cs.uoguelph.ca (HELO zcs3.mail.uoguelph.ca)
 ([131.104.91.222])
 by esa-annu.net.uoguelph.ca with ESMTP; 14 Oct 2014 08:01:50 -0400
Received: from zcs3.mail.uoguelph.ca (localhost.localdomain [127.0.0.1])
 by zcs3.mail.uoguelph.ca (Postfix) with ESMTP id 47944B403F;
 Tue, 14 Oct 2014 08:01:50 -0400 (EDT)
Date: Tue, 14 Oct 2014 08:01:50 -0400 (EDT)
From: Rick Macklem <rmacklem@uoguelph.ca>
To: araujo@FreeBSD.org
Message-ID: <986887451.63845723.1413288110282.JavaMail.root@uoguelph.ca>
In-Reply-To: <CAOfEmZjT5L-h6rBcNmeUZdsWVKq-ONP_Jf+twky+pSQ8U6Csew@mail.gmail.com>
Subject: Re: [PATCH] disable nfsd (NFSv4) nobody/nogroup check
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Originating-IP: [172.17.91.201]
X-Mailer: Zimbra 7.2.6_GA_2926 (ZimbraWebClient - FF3.0 (Win)/7.2.6_GA_2926)
Cc: freebsd-fs@freebsd.org
X-BeenThere: freebsd-fs@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-fs/>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Help: <mailto:freebsd-fs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Oct 2014 12:01:53 -0000

Marcelo Araujo wrote:
> Hello Blot,
>=20
> The patch looks reasonable.
> As per the email thread, seems a good approach to overcome this
> issue, at
> least for now.
>=20
> If Rick has no objection and no free time, I can commit the patch
> during
> this week.
>=20
> Best Regards,
>=20
> 2014-10-14 18:34 GMT+08:00 Lo=C3=AFc Blot <loic.blot@unix-experience.fr>:
>=20
> > Hi,
> >  since a recent problem (see thread NFSv4 nobody issue), i think we
> >  need a
> > sysctl variable to disable nobody and nogroup check into the kernel
> > (default enabled)
> >  This variable is useful in some situations, like TFTP over NFS,
> >  jails
> > over NFS (some files like /var/db/locate.database need nobody
> > user).
> >
> >  I added vfs.nfsd.disable_nobodycheck and
> >  vfs.nfsd.disable_nogroupcheck to
> > modify NFSv4 nobody/nogroup check.
> >
> >  Thanks to Rick to tell me where the problem was.
> >
> >  Can you review the patch, and add it to kernel to avoid previous
> > mentionned issue.
> >
> >  Here is my patch:
> >
> >  --- sys/fs/nfsserver/nfs_nfsdsubs.c.orig    2014-10-14
> >  12:03:50.163311506
> > +0200
> >  +++ sys/fs/nfsserver/nfs_nfsdsubs.c    2014-10-14
> >  12:06:29.793304755 +0200
> >  @@ -62,9 +62,18 @@
> >   SYSCTL_DECL(_vfs_nfsd);
> >
> >   static int    disable_checkutf8 =3D 0;
> >  +static int    disable_nobodycheck =3D 0;
> >  +static int    disable_nogroupcheck =3D 0;
> >   SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_checkutf8, CTLFLAG_RW,
> >       &disable_checkutf8, 0,
> >       "Disable the NFSv4 check for a UTF8 compliant name");
> >  +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nobodycheck, CTLFLAG_RW,
> >  +    &disable_nobodycheck, 0,
> >  +    "Disable the NFSv4 check when setting user nobody as owner");
> >  +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nogroupcheck, CTLFLAG_RW,
> >  +    &disable_nogroupcheck, 0,
> >  +    "Disable the NFSv4 check when setting group nogroup as
> >  owner");
> >  +
> >
Patch looks fine to me.

Marcelo, you can commit this if you'd like. Otherwise I'll do it.

Sorry it took a while for me to remember this was disabled. (My only
excuse is I wrote it about 10years ago;-)

rick

> >   static char nfsrv_hexdigit(char, int *);
> >
> >  @@ -1543,8 +1552,8 @@
> >        */
> >       if (NFSVNO_NOTSETUID(nvap) && NFSVNO_NOTSETGID(nvap))
> >           goto out;
> >  -    if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid =3D=3D
> >  nfsrv_defaultuid)
> >  -        || (NFSVNO_ISSETGID(nvap) && nvap->na_gid =3D=3D
> >  nfsrv_defaultgid)) {
> >  +    if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid =3D=3D
> >  nfsrv_defaultuid &&
> > disable_nobodycheck =3D=3D 0)
> >  +        || (NFSVNO_ISSETGID(nvap) && nvap->na_gid =3D=3D
> >  nfsrv_defaultgid &&
> > disable_nogroupcheck =3D=3D 0)) {
> >           error =3D NFSERR_BADOWNER;
> >           goto out;
> >       }
> >  Regards,
> >
> >  Lo=C3=AFc Blot,
> >  UNIX Systems, Network and Security Engineer
> >  http://www.unix-experience.fr
> > _______________________________________________
> > freebsd-fs@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-fs
> > To unsubscribe, send any mail to
> > "freebsd-fs-unsubscribe@freebsd.org"
>=20
>=20
>=20
>=20
> --
>=20
> --
> Marcelo Araujo            (__)araujo@FreeBSD.org
> \\\'',)http://www.FreeBSD.org <http://www.freebsd.org/>   \/  \ ^
> Power To Server.         .\. /_)
> _______________________________________________
> freebsd-fs@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-fs
> To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org"