From owner-freebsd-fs@FreeBSD.ORG Tue Oct 14 12:09:41 2014 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1D43F3B5; Tue, 14 Oct 2014 12:09:41 +0000 (UTC) Received: from esa-jnhn.mail.uoguelph.ca (esa-jnhn.mail.uoguelph.ca [131.104.91.44]) by mx1.freebsd.org (Postfix) with ESMTP id C4174269; Tue, 14 Oct 2014 12:09:40 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AqsEADkRPVSDaFve/2dsb2JhbABbg2FYBIMCySIKhnlUAoErAX2EAgEBAQMBAQEBIAQnIAsFFhgCAg0ZAiMGAQkmBggHBAEcBIgJAwkIDbB7jlcNhi4BAQEBAQUBAQEBAQEcgSyMZ4FQEAIBGzQHgjZBEoFCBZY7hAxzg3uNU4ZUhBMhLweBQYECAQEB X-IronPort-AV: E=Sophos;i="5.04,716,1406606400"; d="scan'208";a="159872225" Received: from muskoka.cs.uoguelph.ca (HELO zcs3.mail.uoguelph.ca) ([131.104.91.222]) by esa-jnhn.mail.uoguelph.ca with ESMTP; 14 Oct 2014 08:09:34 -0400 Received: from zcs3.mail.uoguelph.ca (localhost.localdomain [127.0.0.1]) by zcs3.mail.uoguelph.ca (Postfix) with ESMTP id 00F0DB4035; Tue, 14 Oct 2014 08:09:34 -0400 (EDT) Date: Tue, 14 Oct 2014 08:09:33 -0400 (EDT) From: Rick Macklem To: Ronald Klop Message-ID: <2111556765.63849821.1413288573994.JavaMail.root@uoguelph.ca> In-Reply-To: Subject: Re: [PATCH] disable nfsd (NFSv4) nobody/nogroup check MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [172.17.91.202] X-Mailer: Zimbra 7.2.6_GA_2926 (ZimbraWebClient - FF3.0 (Win)/7.2.6_GA_2926) Cc: freebsd-fs@freebsd.org, Marcelo Araujo X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Oct 2014 12:09:41 -0000 Ronald Klop wrote: > I thought it is advised to make settings positively defined. So not > use > 'disable =3D 1', but 'enable =3D 0'. >=20 For the case of disable_utf8, I made it negative, since disabling the check violates RFC-3530. For these checks, there isn't anything in the RFC requiring the check AFAIK, so I personally don't care which way they are done. (If the default is disabling the check that could be a minor POLA violation.) So, you guys choose whichever you prefer to commit, rick > Ronald. >=20 >=20 > On Tue, 14 Oct 2014 12:46:25 +0200, Marcelo Araujo > wrote: >=20 > > Hello Blot, > > > > The patch looks reasonable. > > As per the email thread, seems a good approach to overcome this > > issue, at > > least for now. > > > > If Rick has no objection and no free time, I can commit the patch > > during > > this week. > > > > Best Regards, > > > > 2014-10-14 18:34 GMT+08:00 Lo=C3=AFc Blot > > : > > > >> Hi, > >> since a recent problem (see thread NFSv4 nobody issue), i think > >> we > >> need a > >> sysctl variable to disable nobody and nogroup check into the > >> kernel > >> (default enabled) > >> This variable is useful in some situations, like TFTP over NFS, > >> jails > >> over NFS (some files like /var/db/locate.database need nobody > >> user). > >> > >> I added vfs.nfsd.disable_nobodycheck and > >> vfs.nfsd.disable_nogroupcheck > >> to > >> modify NFSv4 nobody/nogroup check. > >> > >> Thanks to Rick to tell me where the problem was. > >> > >> Can you review the patch, and add it to kernel to avoid previous > >> mentionned issue. > >> > >> Here is my patch: > >> > >> --- sys/fs/nfsserver/nfs_nfsdsubs.c.orig 2014-10-14 > >> 12:03:50.163311506 > >> +0200 > >> +++ sys/fs/nfsserver/nfs_nfsdsubs.c 2014-10-14 > >> 12:06:29.793304755 > >> +0200 > >> @@ -62,9 +62,18 @@ > >> SYSCTL_DECL(_vfs_nfsd); > >> > >> static int disable_checkutf8 =3D 0; > >> +static int disable_nobodycheck =3D 0; > >> +static int disable_nogroupcheck =3D 0; > >> SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_checkutf8, CTLFLAG_RW, > >> &disable_checkutf8, 0, > >> "Disable the NFSv4 check for a UTF8 compliant name"); > >> +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nobodycheck, CTLFLAG_RW, > >> + &disable_nobodycheck, 0, > >> + "Disable the NFSv4 check when setting user nobody as > >> owner"); > >> +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nogroupcheck, > >> CTLFLAG_RW, > >> + &disable_nogroupcheck, 0, > >> + "Disable the NFSv4 check when setting group nogroup as > >> owner"); > >> + > >> > >> static char nfsrv_hexdigit(char, int *); > >> > >> @@ -1543,8 +1552,8 @@ > >> */ > >> if (NFSVNO_NOTSETUID(nvap) && NFSVNO_NOTSETGID(nvap)) > >> goto out; > >> - if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid =3D=3D > >> nfsrv_defaultuid) > >> - || (NFSVNO_ISSETGID(nvap) && nvap->na_gid =3D=3D > >> nfsrv_defaultgid)) { > >> + if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid =3D=3D > >> nfsrv_defaultuid && > >> disable_nobodycheck =3D=3D 0) > >> + || (NFSVNO_ISSETGID(nvap) && nvap->na_gid =3D=3D > >> nfsrv_defaultgid > >> && > >> disable_nogroupcheck =3D=3D 0)) { > >> error =3D NFSERR_BADOWNER; > >> goto out; > >> } > >> Regards, > >> > >> Lo=C3=AFc Blot, > >> UNIX Systems, Network and Security Engineer > >> http://www.unix-experience.fr > >> _______________________________________________ > >> freebsd-fs@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-fs > >> To unsubscribe, send any mail to > >> "freebsd-fs-unsubscribe@freebsd.org" > > > > > > > _______________________________________________ > freebsd-fs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-fs > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org" >=20