Date: Tue, 14 Oct 2014 20:11:08 +0800 From: Marcelo Araujo <araujobsdport@gmail.com> To: Rick Macklem <rmacklem@uoguelph.ca> Cc: "freebsd-fs@freebsd.org" <freebsd-fs@freebsd.org> Subject: Re: [PATCH] disable nfsd (NFSv4) nobody/nogroup check Message-ID: <CAOfEmZg_ujvu4yUyVrUcnOhKbkZqVb-jJ70RkaKatvxPMQD9tg@mail.gmail.com> In-Reply-To: <986887451.63845723.1413288110282.JavaMail.root@uoguelph.ca> References: <CAOfEmZjT5L-h6rBcNmeUZdsWVKq-ONP_Jf%2Btwky%2BpSQ8U6Csew@mail.gmail.com> <986887451.63845723.1413288110282.JavaMail.root@uoguelph.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks Rick,
I will do it tomorrow (Taiwan Time).
Best Regards,
2014-10-14 20:01 GMT+08:00 Rick Macklem <rmacklem@uoguelph.ca>:
> Marcelo Araujo wrote:
> > Hello Blot,
> >
> > The patch looks reasonable.
> > As per the email thread, seems a good approach to overcome this
> > issue, at
> > least for now.
> >
> > If Rick has no objection and no free time, I can commit the patch
> > during
> > this week.
> >
> > Best Regards,
> >
> > 2014-10-14 18:34 GMT+08:00 Lo=C3=AFc Blot <loic.blot@unix-experience.fr=
>:
> >
> > > Hi,
> > > since a recent problem (see thread NFSv4 nobody issue), i think we
> > > need a
> > > sysctl variable to disable nobody and nogroup check into the kernel
> > > (default enabled)
> > > This variable is useful in some situations, like TFTP over NFS,
> > > jails
> > > over NFS (some files like /var/db/locate.database need nobody
> > > user).
> > >
> > > I added vfs.nfsd.disable_nobodycheck and
> > > vfs.nfsd.disable_nogroupcheck to
> > > modify NFSv4 nobody/nogroup check.
> > >
> > > Thanks to Rick to tell me where the problem was.
> > >
> > > Can you review the patch, and add it to kernel to avoid previous
> > > mentionned issue.
> > >
> > > Here is my patch:
> > >
> > > --- sys/fs/nfsserver/nfs_nfsdsubs.c.orig 2014-10-14
> > > 12:03:50.163311506
> > > +0200
> > > +++ sys/fs/nfsserver/nfs_nfsdsubs.c 2014-10-14
> > > 12:06:29.793304755 +0200
> > > @@ -62,9 +62,18 @@
> > > SYSCTL_DECL(_vfs_nfsd);
> > >
> > > static int disable_checkutf8 =3D 0;
> > > +static int disable_nobodycheck =3D 0;
> > > +static int disable_nogroupcheck =3D 0;
> > > SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_checkutf8, CTLFLAG_RW,
> > > &disable_checkutf8, 0,
> > > "Disable the NFSv4 check for a UTF8 compliant name");
> > > +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nobodycheck, CTLFLAG_RW,
> > > + &disable_nobodycheck, 0,
> > > + "Disable the NFSv4 check when setting user nobody as owner");
> > > +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nogroupcheck, CTLFLAG_RW,
> > > + &disable_nogroupcheck, 0,
> > > + "Disable the NFSv4 check when setting group nogroup as
> > > owner");
> > > +
> > >
> Patch looks fine to me.
>
> Marcelo, you can commit this if you'd like. Otherwise I'll do it.
>
> Sorry it took a while for me to remember this was disabled. (My only
> excuse is I wrote it about 10years ago;-)
>
> rick
>
> > > static char nfsrv_hexdigit(char, int *);
> > >
> > > @@ -1543,8 +1552,8 @@
> > > */
> > > if (NFSVNO_NOTSETUID(nvap) && NFSVNO_NOTSETGID(nvap))
> > > goto out;
> > > - if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid =3D=3D
> > > nfsrv_defaultuid)
> > > - || (NFSVNO_ISSETGID(nvap) && nvap->na_gid =3D=3D
> > > nfsrv_defaultgid)) {
> > > + if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid =3D=3D
> > > nfsrv_defaultuid &&
> > > disable_nobodycheck =3D=3D 0)
> > > + || (NFSVNO_ISSETGID(nvap) && nvap->na_gid =3D=3D
> > > nfsrv_defaultgid &&
> > > disable_nogroupcheck =3D=3D 0)) {
> > > error =3D NFSERR_BADOWNER;
> > > goto out;
> > > }
> > > Regards,
> > >
> > > Lo=C3=AFc Blot,
> > > UNIX Systems, Network and Security Engineer
> > > http://www.unix-experience.fr
> > > _______________________________________________
> > > freebsd-fs@freebsd.org mailing list
> > > http://lists.freebsd.org/mailman/listinfo/freebsd-fs
> > > To unsubscribe, send any mail to
> > > "freebsd-fs-unsubscribe@freebsd.org"
> >
> >
> >
> >
> > --
> >
> > --
> > Marcelo Araujo (__)araujo@FreeBSD.org
> > \\\'',)http://www.FreeBSD.org <http://www.freebsd.org/>; \/ \ ^
> > Power To Server. .\. /_)
> > _______________________________________________
> > freebsd-fs@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-fs
> > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org"
>
--=20
--=20
Marcelo Araujo (__)araujo@FreeBSD.org
\\\'',)http://www.FreeBSD.org <http://www.freebsd.org/>; \/ \ ^
Power To Server. .\. /_)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOfEmZg_ujvu4yUyVrUcnOhKbkZqVb-jJ70RkaKatvxPMQD9tg>