Date: Wed, 15 Oct 2014 07:21:19 +0000 From: "=?utf-8?B?TG/Dr2MgQmxvdA==?=" <loic.blot@unix-experience.fr> To: araujo@freebsd.org, "Rick Macklem" <rmacklem@uoguelph.ca> Cc: freebsd-fs@freebsd.org Subject: Re: [PATCH] disable nfsd (NFSv4) nobody/nogroup check Message-ID: <345e74ad56f643496a0fa158dda30733@mail.unix-experience.fr> In-Reply-To: <CAOfEmZhFgx21qa3W_mx9%2B3ERT-_yU1gqJHxviUWXWTh8Dxnt1A@mail.gmail.com> References: <CAOfEmZhFgx21qa3W_mx9%2B3ERT-_yU1gqJHxviUWXWTh8Dxnt1A@mail.gmail.com> <op.xnpyg0oxkndu52@ronaldradial.radialsg.local> <2111556765.63849821.1413288573994.JavaMail.root@uoguelph.ca> <CAOfEmZhbAvC26j-sx3A9sLcr_mc1Z3KNv_%2BYAgJV0M5hvSdnQw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, i agree, thanks for your rework ! Regards, Loïc Blot, UNIX Systems, Network and Security Engineer http://www.unix-experience.fr 15 octobre 2014 04:24 "Marcelo Araujo" a écrit: Hello Ronald and Blot, Here is the patch with a small rework. I consider Ronaldo's comments as well as I just change a bit the code style. If you guys agree with the patch, I will commit it today. Note: About the disable_utf8 that Rick has mention, I will rework that part later to make it as enable_utf8 instead of disable_utf8. Best Regards, 2014-10-14 20:12 GMT+08:00 Marcelo Araujo : Hello All, Before I commit it, I will double check what is the best way. Thanks Ronald to point it out. Best Regards, 2014-10-14 20:09 GMT+08:00 Rick Macklem : Ronald Klop wrote: > I thought it is advised to make settings positively defined. So not > use > 'disable = 1', but 'enable = 0'. > For the case of disable_utf8, I made it negative, since disabling the check violates RFC-3530. For these checks, there isn't anything in the RFC requiring the check AFAIK, so I personally don't care which way they are done. (If the default is disabling the check that could be a minor POLA violation.) So, you guys choose whichever you prefer to commit, rick > Ronald. > > > On Tue, 14 Oct 2014 12:46:25 +0200, Marcelo Araujo > wrote: > > > Hello Blot, > > > > The patch looks reasonable. > > As per the email thread, seems a good approach to overcome this > > issue, at > > least for now. > > > > If Rick has no objection and no free time, I can commit the patch > > during > > this week. > > > > Best Regards, > > > > 2014-10-14 18:34 GMT+08:00 Loïc Blot > > : > > > >> Hi, > >> since a recent problem (see thread NFSv4 nobody issue), i think > >> we > >> need a > >> sysctl variable to disable nobody and nogroup check into the > >> kernel > >> (default enabled) > >> This variable is useful in some situations, like TFTP over NFS, > >> jails > >> over NFS (some files like /var/db/locate.database need nobody > >> user). > >> > >> I added vfs.nfsd.disable_nobodycheck and > >> vfs.nfsd.disable_nogroupcheck > >> to > >> modify NFSv4 nobody/nogroup check. > >> > >> Thanks to Rick to tell me where the problem was. > >> > >> Can you review the patch, and add it to kernel to avoid previous > >> mentionned issue. > >> > >> Here is my patch: > >> > >> --- sys/fs/nfsserver/nfs_nfsdsubs.c.orig 2014-10-14 > >> 12:03:50.163311506 > >> +0200 > >> +++ sys/fs/nfsserver/nfs_nfsdsubs.c 2014-10-14 > >> 12:06:29.793304755 > >> +0200 > >> @@ -62,9 +62,18 @@ > >> SYSCTL_DECL(_vfs_nfsd); > >> > >> static int disable_checkutf8 = 0; > >> +static int disable_nobodycheck = 0; > >> +static int disable_nogroupcheck = 0; > >> SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_checkutf8, CTLFLAG_RW, > >> &disable_checkutf8, 0, > >> "Disable the NFSv4 check for a UTF8 compliant name"); > >> +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nobodycheck, CTLFLAG_RW, > >> + &disable_nobodycheck, 0, > >> + "Disable the NFSv4 check when setting user nobody as > >> owner"); > >> +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nogroupcheck, > >> CTLFLAG_RW, > >> + &disable_nogroupcheck, 0, > >> + "Disable the NFSv4 check when setting group nogroup as > >> owner"); > >> + > >> > >> static char nfsrv_hexdigit(char, int *); > >> > >> @@ -1543,8 +1552,8 @@ > >> */ > >> if (NFSVNO_NOTSETUID(nvap) && NFSVNO_NOTSETGID(nvap)) > >> goto out; > >> - if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid == > >> nfsrv_defaultuid) > >> - || (NFSVNO_ISSETGID(nvap) && nvap->na_gid == > >> nfsrv_defaultgid)) { > >> + if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid == > >> nfsrv_defaultuid && > >> disable_nobodycheck == 0) > >> + || (NFSVNO_ISSETGID(nvap) && nvap->na_gid == > >> nfsrv_defaultgid > >> && > >> disable_nogroupcheck == 0)) { > >> error = NFSERR_BADOWNER; > >> goto out; > >> } > >> Regards, > >> > >> Loïc Blot, > >> UNIX Systems, Network and Security Engineer > >> http://www.unix-experience.fr (http://www.unix-experience.fr) > >> _______________________________________________ > >> freebsd-fs@freebsd.org (mailto:freebsd-fs@freebsd.org) mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-fs (http://lists.freebsd.org/mailman/listinfo/freebsd-fs) > >> To unsubscribe, send any mail to > >> "freebsd-fs-unsubscribe@freebsd.org (mailto:freebsd-fs-unsubscribe@freebsd.org)" > > > > > > > _______________________________________________ > freebsd-fs@freebsd.org (mailto:freebsd-fs@freebsd.org) mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-fs (http://lists.freebsd.org/mailman/listinfo/freebsd-fs) > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org (mailto:freebsd-fs-unsubscribe@freebsd.org)" > -- -- Marcelo Araujo (__) araujo@FreeBSD.org (mailto:araujo@FreeBSD.org) \'',) http://www.FreeBSD.org (http://www.freebsd.org/) / ^ Power To Server. .. /_) -- -- Marcelo Araujo (__) araujo@FreeBSD.org (mailto:araujo@FreeBSD.org) \'',) http://www.FreeBSD.org (http://www.freebsd.org/) / ^ Power To Server. .. /_)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?345e74ad56f643496a0fa158dda30733>