From owner-freebsd-fs@FreeBSD.ORG Tue Oct 14 12:11:11 2014 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 189E7460 for ; Tue, 14 Oct 2014 12:11:11 +0000 (UTC) Received: from mail-wi0-x22d.google.com (mail-wi0-x22d.google.com [IPv6:2a00:1450:400c:c05::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9A308280 for ; Tue, 14 Oct 2014 12:11:10 +0000 (UTC) Received: by mail-wi0-f173.google.com with SMTP id fb4so9937988wid.0 for ; Tue, 14 Oct 2014 05:11:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=wk2xqd33cgQ+Ko7W6qKIK0VXWArYaq/bnEFyDs4GO1s=; b=rfFCDexz7zpYCmhC3EwiowndpxvgV5WKyoQBPCHuKfWH1/srKBPKbramne8SK9wZSr m21PL25fa4NkN3i+GtxIKxABA4wknveykqjlmbV6YAsCy0Bqj3owd15HlNcZ7J78Hdfe oPQwfRY/3itdBrCMQ+EF3xZmLzfNmffJ19qPFjLbpRnXvQYSjveDbLDPWQ2yqBH6RE37 d/KADP9ZooMO6as/CFJcKU91DPgFSSPDz+Lra1615Pl7lHOgcktt9zzzDa3UtlNJ5LTb hSNT92EuWz54m09VrEoNbc7g2nsQY2JGvRlAGZvKRNQvzIQN03AJXirtq+7RQw1d2c3f 6zWw== MIME-Version: 1.0 X-Received: by 10.194.3.78 with SMTP id a14mr2172545wja.107.1413288668780; Tue, 14 Oct 2014 05:11:08 -0700 (PDT) Received: by 10.216.159.193 with HTTP; Tue, 14 Oct 2014 05:11:08 -0700 (PDT) Reply-To: araujo@FreeBSD.org In-Reply-To: <986887451.63845723.1413288110282.JavaMail.root@uoguelph.ca> References: <986887451.63845723.1413288110282.JavaMail.root@uoguelph.ca> Date: Tue, 14 Oct 2014 20:11:08 +0800 Message-ID: Subject: Re: [PATCH] disable nfsd (NFSv4) nobody/nogroup check From: Marcelo Araujo To: Rick Macklem Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: "freebsd-fs@freebsd.org" X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Oct 2014 12:11:11 -0000 Thanks Rick, I will do it tomorrow (Taiwan Time). Best Regards, 2014-10-14 20:01 GMT+08:00 Rick Macklem : > Marcelo Araujo wrote: > > Hello Blot, > > > > The patch looks reasonable. > > As per the email thread, seems a good approach to overcome this > > issue, at > > least for now. > > > > If Rick has no objection and no free time, I can commit the patch > > during > > this week. > > > > Best Regards, > > > > 2014-10-14 18:34 GMT+08:00 Lo=C3=AFc Blot : > > > > > Hi, > > > since a recent problem (see thread NFSv4 nobody issue), i think we > > > need a > > > sysctl variable to disable nobody and nogroup check into the kernel > > > (default enabled) > > > This variable is useful in some situations, like TFTP over NFS, > > > jails > > > over NFS (some files like /var/db/locate.database need nobody > > > user). > > > > > > I added vfs.nfsd.disable_nobodycheck and > > > vfs.nfsd.disable_nogroupcheck to > > > modify NFSv4 nobody/nogroup check. > > > > > > Thanks to Rick to tell me where the problem was. > > > > > > Can you review the patch, and add it to kernel to avoid previous > > > mentionned issue. > > > > > > Here is my patch: > > > > > > --- sys/fs/nfsserver/nfs_nfsdsubs.c.orig 2014-10-14 > > > 12:03:50.163311506 > > > +0200 > > > +++ sys/fs/nfsserver/nfs_nfsdsubs.c 2014-10-14 > > > 12:06:29.793304755 +0200 > > > @@ -62,9 +62,18 @@ > > > SYSCTL_DECL(_vfs_nfsd); > > > > > > static int disable_checkutf8 =3D 0; > > > +static int disable_nobodycheck =3D 0; > > > +static int disable_nogroupcheck =3D 0; > > > SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_checkutf8, CTLFLAG_RW, > > > &disable_checkutf8, 0, > > > "Disable the NFSv4 check for a UTF8 compliant name"); > > > +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nobodycheck, CTLFLAG_RW, > > > + &disable_nobodycheck, 0, > > > + "Disable the NFSv4 check when setting user nobody as owner"); > > > +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nogroupcheck, CTLFLAG_RW, > > > + &disable_nogroupcheck, 0, > > > + "Disable the NFSv4 check when setting group nogroup as > > > owner"); > > > + > > > > Patch looks fine to me. > > Marcelo, you can commit this if you'd like. Otherwise I'll do it. > > Sorry it took a while for me to remember this was disabled. (My only > excuse is I wrote it about 10years ago;-) > > rick > > > > static char nfsrv_hexdigit(char, int *); > > > > > > @@ -1543,8 +1552,8 @@ > > > */ > > > if (NFSVNO_NOTSETUID(nvap) && NFSVNO_NOTSETGID(nvap)) > > > goto out; > > > - if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid =3D=3D > > > nfsrv_defaultuid) > > > - || (NFSVNO_ISSETGID(nvap) && nvap->na_gid =3D=3D > > > nfsrv_defaultgid)) { > > > + if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid =3D=3D > > > nfsrv_defaultuid && > > > disable_nobodycheck =3D=3D 0) > > > + || (NFSVNO_ISSETGID(nvap) && nvap->na_gid =3D=3D > > > nfsrv_defaultgid && > > > disable_nogroupcheck =3D=3D 0)) { > > > error =3D NFSERR_BADOWNER; > > > goto out; > > > } > > > Regards, > > > > > > Lo=C3=AFc Blot, > > > UNIX Systems, Network and Security Engineer > > > http://www.unix-experience.fr > > > _______________________________________________ > > > freebsd-fs@freebsd.org mailing list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-fs > > > To unsubscribe, send any mail to > > > "freebsd-fs-unsubscribe@freebsd.org" > > > > > > > > > > -- > > > > -- > > Marcelo Araujo (__)araujo@FreeBSD.org > > \\\'',)http://www.FreeBSD.org \/ \ ^ > > Power To Server. .\. /_) > > _______________________________________________ > > freebsd-fs@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-fs > > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org" > --=20 --=20 Marcelo Araujo (__)araujo@FreeBSD.org \\\'',)http://www.FreeBSD.org \/ \ ^ Power To Server. .\. /_)