From owner-freebsd-fs@FreeBSD.ORG  Tue Oct 14 12:04:12 2014
Return-Path: <owner-freebsd-fs@FreeBSD.ORG>
Delivered-To: freebsd-fs@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id B9F8920B;
 Tue, 14 Oct 2014 12:04:12 +0000 (UTC)
Received: from smarthost1.greenhost.nl (smarthost1.greenhost.nl
 [195.190.28.81]) (using TLSv1 with cipher AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 7900022B;
 Tue, 14 Oct 2014 12:04:12 +0000 (UTC)
Received: from smtp.greenhost.nl ([213.108.104.138])
 by smarthost1.greenhost.nl with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.72) (envelope-from <ronald-lists@klop.ws>)
 id 1Xe0pg-0003Pq-1M; Tue, 14 Oct 2014 14:04:09 +0200
Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes
To: =?iso-8859-15?Q?Lo=EFc_Blot?= <loic.blot@unix-experience.fr>, "Marcelo
 Araujo" <araujobsdport@gmail.com>, araujo@freebsd.org
Subject: Re: [PATCH] disable nfsd (NFSv4) nobody/nogroup check
References: <ccad8b9abb67b704e435accfc88513ea@mail.unix-experience.fr>
 <CAOfEmZjT5L-h6rBcNmeUZdsWVKq-ONP_Jf+twky+pSQ8U6Csew@mail.gmail.com>
Date: Tue, 14 Oct 2014 14:04:02 +0200
MIME-Version: 1.0
Content-Transfer-Encoding: Quoted-Printable
From: "Ronald Klop" <ronald-lists@klop.ws>
Message-ID: <op.xnpyg0oxkndu52@ronaldradial.radialsg.local>
In-Reply-To: <CAOfEmZjT5L-h6rBcNmeUZdsWVKq-ONP_Jf+twky+pSQ8U6Csew@mail.gmail.com>
User-Agent: Opera Mail/12.17 (Win32)
X-Authenticated-As-Hash: 398f5522cb258ce43cb679602f8cfe8b62a256d1
X-Virus-Scanned: by clamav at smarthost1.samage.net
X-Spam-Level: --
X-Spam-Score: -2.9
X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,
 BAYES_00 autolearn=disabled version=3.3.1
X-Scan-Signature: 2d0a7f6a049cc125cd28f2ceffdc0173
Cc: "freebsd-fs@freebsd.org" <freebsd-fs@freebsd.org>
X-BeenThere: freebsd-fs@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-fs/>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Help: <mailto:freebsd-fs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Oct 2014 12:04:12 -0000

I thought it is advised to make settings positively defined. So not use =
 =

'disable =3D 1', but 'enable =3D 0'.

Ronald.


On Tue, 14 Oct 2014 12:46:25 +0200, Marcelo Araujo  =

<araujobsdport@gmail.com> wrote:

> Hello Blot,
>
> The patch looks reasonable.
> As per the email thread, seems a good approach to overcome this issue,=
 at
> least for now.
>
> If Rick has no objection and no free time, I can commit the patch duri=
ng
> this week.
>
> Best Regards,
>
> 2014-10-14 18:34 GMT+08:00 Lo=EFc Blot <loic.blot@unix-experience.fr>:=

>
>> Hi,
>>  since a recent problem (see thread NFSv4 nobody issue), i think we  =

>> need a
>> sysctl variable to disable nobody and nogroup check into the kernel
>> (default enabled)
>>  This variable is useful in some situations, like TFTP over NFS, jail=
s
>> over NFS (some files like /var/db/locate.database need nobody user).
>>
>>  I added vfs.nfsd.disable_nobodycheck and vfs.nfsd.disable_nogroupche=
ck  =

>> to
>> modify NFSv4 nobody/nogroup check.
>>
>>  Thanks to Rick to tell me where the problem was.
>>
>>  Can you review the patch, and add it to kernel to avoid previous
>> mentionned issue.
>>
>>  Here is my patch:
>>
>>  --- sys/fs/nfsserver/nfs_nfsdsubs.c.orig    2014-10-14  =

>> 12:03:50.163311506
>> +0200
>>  +++ sys/fs/nfsserver/nfs_nfsdsubs.c    2014-10-14 12:06:29.793304755=
  =

>> +0200
>>  @@ -62,9 +62,18 @@
>>   SYSCTL_DECL(_vfs_nfsd);
>>
>>   static int    disable_checkutf8 =3D 0;
>>  +static int    disable_nobodycheck =3D 0;
>>  +static int    disable_nogroupcheck =3D 0;
>>   SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_checkutf8, CTLFLAG_RW,
>>       &disable_checkutf8, 0,
>>       "Disable the NFSv4 check for a UTF8 compliant name");
>>  +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nobodycheck, CTLFLAG_RW,
>>  +    &disable_nobodycheck, 0,
>>  +    "Disable the NFSv4 check when setting user nobody as owner");
>>  +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nogroupcheck, CTLFLAG_RW,
>>  +    &disable_nogroupcheck, 0,
>>  +    "Disable the NFSv4 check when setting group nogroup as owner");=

>>  +
>>
>>   static char nfsrv_hexdigit(char, int *);
>>
>>  @@ -1543,8 +1552,8 @@
>>        */
>>       if (NFSVNO_NOTSETUID(nvap) && NFSVNO_NOTSETGID(nvap))
>>           goto out;
>>  -    if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid =3D=3D nfsrv_default=
uid)
>>  -        || (NFSVNO_ISSETGID(nvap) && nvap->na_gid =3D=3D  =

>> nfsrv_defaultgid)) {
>>  +    if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid =3D=3D nfsrv_default=
uid &&
>> disable_nobodycheck =3D=3D 0)
>>  +        || (NFSVNO_ISSETGID(nvap) && nvap->na_gid =3D=3D nfsrv_defa=
ultgid  =

>> &&
>> disable_nogroupcheck =3D=3D 0)) {
>>           error =3D NFSERR_BADOWNER;
>>           goto out;
>>       }
>>  Regards,
>>
>>  Lo=EFc Blot,
>>  UNIX Systems, Network and Security Engineer
>>  http://www.unix-experience.fr
>> _______________________________________________
>> freebsd-fs@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-fs
>> To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org"=

>
>
>