From owner-freebsd-fs@FreeBSD.ORG  Wed Oct 15 07:21:30 2014
Return-Path: <owner-freebsd-fs@FreeBSD.ORG>
Delivered-To: freebsd-fs@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 0C3F2BD4;
 Wed, 15 Oct 2014 07:21:30 +0000 (UTC)
Received: from smtp.unix-experience.fr (62-210-206-43.rev.poneytelecom.eu
 [62.210.206.43])
 (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id AFA05A47;
 Wed, 15 Oct 2014 07:21:28 +0000 (UTC)
Received: from smtp.unix-experience.fr (unknown [192.168.200.21])
 by smtp.unix-experience.fr (Postfix) with ESMTP id ACDACFCBF;
 Wed, 15 Oct 2014 07:21:25 +0000 (UTC)
X-Virus-Scanned: scanned by unix-experience.fr
Received: from smtp.unix-experience.fr ([192.168.200.21])
 by smtp.unix-experience.fr (smtp.unix-experience.fr [192.168.200.21])
 (amavisd-new, port 10024)
 with ESMTP id z210S1zSLmAp; Wed, 15 Oct 2014 07:21:20 +0000 (UTC)
Received: from mail.unix-experience.fr (unknown [192.168.200.1])
 by smtp.unix-experience.fr (Postfix) with ESMTPSA id EAE21FCA1;
 Wed, 15 Oct 2014 07:21:19 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=unix-experience.fr;
 s=uxselect; t=1413357680;
 bh=GuzdxyEK0Fulyhc0Gtf13CojsmWYLaRzBlKt4X00AaM=;
 h=Date:From:Subject:To:Cc:In-Reply-To:References;
 b=lmXf8VjGck+o2QkqjmR6kgNvdWVk8JbTq7v2KPoaxh9y3ArLvIS3kQBuLMCYqf8d4
 iZnrx+OvpE9xM1Tk3b7UlQ81g9DtABbv8R+JQ7qnxMGTCMPcSN+igqfq+ziIsqgH2B
 fly/nwTzzXcoAmBDSi7g86AMdCjoGpYIIkfbf9f0=
Mime-Version: 1.0
Date: Wed, 15 Oct 2014 07:21:19 +0000
Message-ID: <345e74ad56f643496a0fa158dda30733@mail.unix-experience.fr>
X-Mailer: RainLoop/1.6.9.161
From: "=?utf-8?B?TG/Dr2MgQmxvdA==?=" <loic.blot@unix-experience.fr>
Subject: Re: [PATCH] disable nfsd (NFSv4) nobody/nogroup check
To: araujo@freebsd.org, "Rick Macklem" <rmacklem@uoguelph.ca>
In-Reply-To: <CAOfEmZhFgx21qa3W_mx9+3ERT-_yU1gqJHxviUWXWTh8Dxnt1A@mail.gmail.com>
References: <CAOfEmZhFgx21qa3W_mx9+3ERT-_yU1gqJHxviUWXWTh8Dxnt1A@mail.gmail.com>
 <op.xnpyg0oxkndu52@ronaldradial.radialsg.local>
 <2111556765.63849821.1413288573994.JavaMail.root@uoguelph.ca>
 <CAOfEmZhbAvC26j-sx3A9sLcr_mc1Z3KNv_+YAgJV0M5hvSdnQw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: Quoted-Printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
Cc: freebsd-fs@freebsd.org
X-BeenThere: freebsd-fs@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-fs/>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Help: <mailto:freebsd-fs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Oct 2014 07:21:30 -0000

Hi,=0A i agree, thanks for your rework !=0A=0A Regards,=0A=0A Lo=C3=AFc B=
lot,=0A UNIX Systems, Network and Security Engineer=0A http://www.unix-ex=
perience.fr=0A 15 octobre 2014 04:24 "Marcelo Araujo"  a =C3=A9crit:  =0A=
=0A	=C2=A0 =0A Hello Ronald and Blot, =0A=C2=A0 =0AHere is the patch with=
 a small rework. I consider Ronaldo's comments as well as I just change a=
 bit the code style. =0A=C2=A0 =0AIf you guys agree with the patch, I wil=
l commit it today.  =0A=C2=A0 =0ANote: About the=C2=A0disable_utf8 that R=
ick has mention, I will rework that part later to make it as enable_utf8 =
instead of disable_utf8. =0A=C2=A0 =0ABest Regards,  =0A=C2=A0 =0A2014-10=
-14 20:12 GMT+08:00 Marcelo Araujo :=0A=0A =C2=A0  Hello All, =0A=C2=A0 =
=0ABefore I commit it, I will double check what is the best way. =0AThank=
s Ronald to point it out. =0A=C2=A0 =0ABest Regards,  =0A=C2=A0 =0A2014-1=
0-14 20:09 GMT+08:00 Rick Macklem : Ronald Klop wrote:=0A > I thought it =
is advised to make settings positively defined. So not=0A > use=0A > 'dis=
able =3D 1', but 'enable =3D 0'.=0A >=0A For the case of disable_utf8, I =
made it negative, since disabling the=0A check violates RFC-3530. For the=
se checks, there isn't anything in the=0A RFC requiring the check AFAIK, =
so I personally don't care which way they=0A are done. (If the default is=
 disabling the check that could be a minor POLA=0A violation.)=0A=0A So, =
you guys choose whichever you prefer to commit, rick =0A > Ronald.=0A >=
=0A >=0A > On Tue, 14 Oct 2014 12:46:25 +0200, Marcelo Araujo=0A >  wrote=
:=0A >=0A > > Hello Blot,=0A > >=0A > > The patch looks reasonable.=0A > =
> As per the email thread, seems a good approach to overcome this=0A > > =
issue, at=0A > > least for now.=0A > >=0A > > If Rick has no objection an=
d no free time, I can commit the patch=0A > > during=0A > > this week.=0A=
 > >=0A > > Best Regards,=0A > >=0A > > 2014-10-14 18:34 GMT+08:00 Lo=C3=
=AFc Blot=0A > > :=0A > >=0A > >> Hi,=0A > >>=C2=A0 since a recent proble=
m (see thread NFSv4 nobody issue), i think=0A > >>=C2=A0 we=0A > >> need =
a=0A > >> sysctl variable to disable nobody and nogroup check into the=0A=
 > >> kernel=0A > >> (default enabled)=0A > >>=C2=A0 This variable is use=
ful in some situations, like TFTP over NFS,=0A > >>=C2=A0 jails=0A > >> o=
ver NFS (some files like /var/db/locate.database need nobody=0A > >> user=
).=0A > >>=0A > >>=C2=A0 I added vfs.nfsd.disable_nobodycheck and=0A > >>=
=C2=A0 vfs.nfsd.disable_nogroupcheck=0A > >> to=0A > >> modify NFSv4 nobo=
dy/nogroup check.=0A > >>=0A > >>=C2=A0 Thanks to Rick to tell me where t=
he problem was.=0A > >>=0A > >>=C2=A0 Can you review the patch, and add i=
t to kernel to avoid previous=0A > >> mentionned issue.=0A > >>=0A > >>=
=C2=A0 Here is my patch:=0A > >>=0A > >>=C2=A0 --- sys/fs/nfsserver/nfs_n=
fsdsubs.c.orig=C2=A0 =C2=A0 2014-10-14=0A > >> 12:03:50.163311506=0A > >>=
 +0200=0A > >>=C2=A0 +++ sys/fs/nfsserver/nfs_nfsdsubs.c=C2=A0 =C2=A0 201=
4-10-14=0A > >>=C2=A0 12:06:29.793304755=0A > >> +0200=0A > >>=C2=A0 @@ -=
62,9 +62,18 @@=0A > >>=C2=A0 =C2=A0SYSCTL_DECL(_vfs_nfsd);=0A > >>=0A > >=
>=C2=A0 =C2=A0static int=C2=A0 =C2=A0 disable_checkutf8 =3D 0;=0A > >>=C2=
=A0 +static int=C2=A0 =C2=A0 disable_nobodycheck =3D 0;=0A > >>=C2=A0 +st=
atic int=C2=A0 =C2=A0 disable_nogroupcheck =3D 0;=0A > >>=C2=A0 =C2=A0SYS=
CTL_INT(_vfs_nfsd, OID_AUTO, disable_checkutf8, CTLFLAG_RW,=0A > >>=C2=A0=
 =C2=A0 =C2=A0 =C2=A0&disable_checkutf8, 0,=0A > >>=C2=A0 =C2=A0 =C2=A0 =
=C2=A0"Disable the NFSv4 check for a UTF8 compliant name");=0A > >>=C2=A0=
 +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nobodycheck, CTLFLAG_RW,=0A > >=
>=C2=A0 +=C2=A0 =C2=A0 &disable_nobodycheck, 0,=0A > >>=C2=A0 +=C2=A0 =C2=
=A0 "Disable the NFSv4 check when setting user nobody as=0A > >>=C2=A0 ow=
ner");=0A > >>=C2=A0 +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nogroupchec=
k,=0A > >>=C2=A0 CTLFLAG_RW,=0A > >>=C2=A0 +=C2=A0 =C2=A0 &disable_nogrou=
pcheck, 0,=0A > >>=C2=A0 +=C2=A0 =C2=A0 "Disable the NFSv4 check when set=
ting group nogroup as=0A > >>=C2=A0 owner");=0A > >>=C2=A0 +=0A > >>=0A >=
 >>=C2=A0 =C2=A0static char nfsrv_hexdigit(char, int *);=0A > >>=0A > >>=
=C2=A0 @@ -1543,8 +1552,8 @@=0A > >>=C2=A0 =C2=A0 =C2=A0 =C2=A0 */=0A > >=
>=C2=A0 =C2=A0 =C2=A0 =C2=A0if (NFSVNO_NOTSETUID(nvap) && NFSVNO_NOTSETGI=
D(nvap))=0A > >>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0goto out;=0A > >=
>=C2=A0 -=C2=A0 =C2=A0 if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid =3D=3D=
=0A > >>=C2=A0 nfsrv_defaultuid)=0A > >>=C2=A0 -=C2=A0 =C2=A0 =C2=A0 =C2=
=A0 || (NFSVNO_ISSETGID(nvap) && nvap->na_gid =3D=3D=0A > >> nfsrv_defaul=
tgid)) {=0A > >>=C2=A0 +=C2=A0 =C2=A0 if ((NFSVNO_ISSETUID(nvap) && nvap-=
>na_uid =3D=3D=0A > >>=C2=A0 nfsrv_defaultuid &&=0A > >> disable_nobodych=
eck =3D=3D 0)=0A > >>=C2=A0 +=C2=A0 =C2=A0 =C2=A0 =C2=A0 || (NFSVNO_ISSET=
GID(nvap) && nvap->na_gid =3D=3D=0A > >>=C2=A0 nfsrv_defaultgid=0A > >> &=
&=0A > >> disable_nogroupcheck =3D=3D 0)) {=0A > >>=C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0error =3D NFSERR_BADOWNER;=0A > >>=C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0goto out;=0A > >>=C2=A0 =C2=A0 =C2=A0 =C2=A0}=0A =
> >>=C2=A0 Regards,=0A > >>=0A > >>=C2=A0 Lo=C3=AFc Blot,=0A > >>=C2=A0 U=
NIX Systems, Network and Security Engineer=0A > >>=C2=A0 http://www.unix-=
experience.fr (http://www.unix-experience.fr)=0A > >> ___________________=
____________________________=0A > >> freebsd-fs@freebsd.org (mailto:freeb=
sd-fs@freebsd.org) mailing list=0A > >> http://lists.freebsd.org/mailman/=
listinfo/freebsd-fs (http://lists.freebsd.org/mailman/listinfo/freebsd-fs=
)=0A > >> To unsubscribe, send any mail to=0A > >> "freebsd-fs-unsubscrib=
e@freebsd.org (mailto:freebsd-fs-unsubscribe@freebsd.org)"=0A > >=0A > >=
=0A > >=0A > _______________________________________________=0A > freebsd=
-fs@freebsd.org (mailto:freebsd-fs@freebsd.org) mailing list=0A > http://=
lists.freebsd.org/mailman/listinfo/freebsd-fs (http://lists.freebsd.org/m=
ailman/listinfo/freebsd-fs)=0A > To unsubscribe, send any mail to "freebs=
d-fs-unsubscribe@freebsd.org (mailto:freebsd-fs-unsubscribe@freebsd.org)"=
=0A >    =C2=A0 =0A=C2=A0   --   =0A=C2=A0 =0A	 -- Marcelo Araujo (__) ar=
aujo@FreeBSD.org (mailto:araujo@FreeBSD.org) \'',) http://www.FreeBSD.org=
 (http://www.freebsd.org/) / ^ Power To Server. .. /_)       =C2=A0 =0A=
=C2=A0 --  =0A=C2=A0 =0A	 -- Marcelo Araujo (__) araujo@FreeBSD.org (mail=
to:araujo@FreeBSD.org) \'',) http://www.FreeBSD.org (http://www.freebsd.o=
rg/) / ^ Power To Server. .. /_)      =0A=0A	=C2=A0