Site Navigation

Date:      Sun, 03 Nov 2024 11:46:58 +0100
From:      Olivier Certner <olce@freebsd.org>
To:        Ravi Pokala <rpokala@freebsd.org>, Cy Schubert <Cy.Schubert@cschubert.com>
Cc:        src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org
Subject:   Re: cfbe7a62dc62 - main - nfs, rpc: Ensure kernel credentials have at least one group
Message-ID:  <2884013.iL6vRArjjl@ravel>
In-Reply-To: <3070589.hHqAuc6tWs@ravel>
References:  <202411022039.4A2KdbAE046580@gitrepo.freebsd.org> <20241103065704.4377C114@slippy.cwsent.com> <3070589.hHqAuc6tWs@ravel>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

--nextPart1977332.vslOlgHxSZ
Content-Type: multipart/mixed; boundary="nextPart86592338.0ko45tJjV3";
 protected-headers="v1"
Content-Transfer-Encoding: 7Bit
From: Olivier Certner <olce@freebsd.org>
Date: Sun, 03 Nov 2024 11:46:58 +0100
Message-ID: <2884013.iL6vRArjjl@ravel>
In-Reply-To: <3070589.hHqAuc6tWs@ravel>
MIME-Version: 1.0

This is a multi-part message in MIME format.

--nextPart86592338.0ko45tJjV3
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="UTF-8"

Could you please test the attached patch and confirm it fixes the problems you're seeing?

-- 
Olivier Certner
--nextPart86592338.0ko45tJjV3
Content-Disposition: attachment;
 filename="0001-nfs-Fallback-to-GID_NOGROUP-on-no-groups.patch"
Content-Transfer-Encoding: 7Bit
Content-Type: text/x-patch; charset="x-UTF_8J";
 name="0001-nfs-Fallback-to-GID_NOGROUP-on-no-groups.patch"

>From ab37cd80635b52f59fbce53f942cddd79002f233 Mon Sep 17 00:00:00 2001
From: Olivier Certner <olce@FreeBSD.org>
Date: Sun, 3 Nov 2024 11:26:37 +0100
Subject: [PATCH] nfs: Fallback to GID_NOGROUP on no groups

We cannot unconditionally access nfsd's VNET variables in
'sys/kern/vfs_export.c' nor 'sys/fs/nfsserver/nfs_nfsdsubs.c', as they
may not have been compiled in depending on build options.

So, forget about the extra mile of using the configured default group
and use the hardcoded GID_NOGROUP (which differs only on systems running
nfsuserd(8) and with a non-default UID for their "nogroup" group).

Fixes:          cfbe7a62dc62 ("nfs, rpc: Ensure kernel credentials have at least one group")
---
 sys/fs/nfs/nfs_commonport.c | 3 +--
 sys/fs/nfs/nfs_commonsubs.c | 2 +-
 sys/kern/vfs_export.c       | 9 +++------
 3 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/sys/fs/nfs/nfs_commonport.c b/sys/fs/nfs/nfs_commonport.c
index 11f31d1a0e9f..0c94f4e7dc52 100644
--- a/sys/fs/nfs/nfs_commonport.c
+++ b/sys/fs/nfs/nfs_commonport.c
@@ -73,11 +73,10 @@ uint32_t nfs_srvmaxio = NFS_SRVMAXIO;
 
 NFSD_VNET_DEFINE(struct nfsstatsv1 *, nfsstatsv1_p);
 
 NFSD_VNET_DECLARE(struct nfssockreq, nfsrv_nfsuserdsock);
 NFSD_VNET_DECLARE(nfsuserd_state, nfsrv_nfsuserd);
-NFSD_VNET_DECLARE(gid_t, nfsrv_defaultgid);
 
 int nfs_pnfsio(task_fn_t *, void *);
 
 static int nfs_realign_test;
 static int nfs_realign_count;
@@ -258,11 +257,11 @@ newnfs_copycred(struct nfscred *nfscr, struct ucred *cr)
 
 	KASSERT(nfscr->nfsc_ngroups >= 0,
 	    ("newnfs_copycred: negative nfsc_ngroups"));
 	cr->cr_uid = nfscr->nfsc_uid;
 	crsetgroups_fallback(cr, nfscr->nfsc_ngroups, nfscr->nfsc_groups,
-	    NFSD_VNET(nfsrv_defaultgid));
+	    GID_NOGROUP);
 }
 
 /*
  * Map args from nfsmsleep() to msleep().
  */
diff --git a/sys/fs/nfs/nfs_commonsubs.c b/sys/fs/nfs/nfs_commonsubs.c
index ce4b0052714e..81c558d768ea 100644
--- a/sys/fs/nfs/nfs_commonsubs.c
+++ b/sys/fs/nfs/nfs_commonsubs.c
@@ -4050,11 +4050,11 @@ nfssvc_idname(struct nfsd_idargs *nidp)
 			 * but using the group list provided.
 			 */
 			cr = crget();
 			cr->cr_uid = cr->cr_ruid = cr->cr_svuid = nidp->nid_uid;
 			crsetgroups_fallback(cr, nidp->nid_ngroup, grps,
-			    NFSD_VNET(nfsrv_defaultgid));
+			    GID_NOGROUP);
 			cr->cr_rgid = cr->cr_svgid = cr->cr_gid;
 			cr->cr_prison = curthread->td_ucred->cr_prison;
 			prison_hold(cr->cr_prison);
 #ifdef MAC
 			mac_cred_associate_nfsd(cr);
diff --git a/sys/kern/vfs_export.c b/sys/kern/vfs_export.c
index c0337b1fe858..a314bda164de 100644
--- a/sys/kern/vfs_export.c
+++ b/sys/kern/vfs_export.c
@@ -38,10 +38,11 @@
 #include "opt_inet.h"
 #include "opt_inet6.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
+#include <sys/conf.h>
 #include <sys/dirent.h>
 #include <sys/jail.h>
 #include <sys/kernel.h>
 #include <sys/lock.h>
 #include <sys/malloc.h>
@@ -59,14 +60,10 @@
 #include <net/radix.h>
 
 #include <rpc/types.h>
 #include <rpc/auth.h>
 
-#include <fs/nfs/nfsport.h>
-
-NFSD_VNET_DECLARE(gid_t, nfsrv_defaultgid);
-
 static MALLOC_DEFINE(M_NETADDR, "export_host", "Export host address structure");
 
 #if defined(INET) || defined(INET6)
 static struct radix_node_head *vfs_create_addrlist_af(
 		    struct radix_node_head **prnh, int off);
@@ -136,11 +133,11 @@ vfs_hang_addrlist(struct mount *mp, struct netexport *nep,
 		np = &nep->ne_defexported;
 		np->netc_exflags = argp->ex_flags;
 		np->netc_anon = crget();
 		np->netc_anon->cr_uid = argp->ex_uid;
 		crsetgroups_fallback(np->netc_anon, argp->ex_ngroups,
-		    argp->ex_groups, NFSD_VNET(nfsrv_defaultgid));
+		    argp->ex_groups, GID_NOGROUP);
 		np->netc_anon->cr_prison = &prison0;
 		prison_hold(np->netc_anon->cr_prison);
 		np->netc_numsecflavors = argp->ex_numsecflavors;
 		bcopy(argp->ex_secflavors, np->netc_secflavors,
 		    sizeof(np->netc_secflavors));
@@ -215,11 +212,11 @@ vfs_hang_addrlist(struct mount *mp, struct netexport *nep,
 	}
 	np->netc_exflags = argp->ex_flags;
 	np->netc_anon = crget();
 	np->netc_anon->cr_uid = argp->ex_uid;
 	crsetgroups_fallback(np->netc_anon, argp->ex_ngroups, argp->ex_groups,
-	    NFSD_VNET(nfsrv_defaultgid));
+	    GID_NOGROUP);
 	np->netc_anon->cr_prison = &prison0;
 	prison_hold(np->netc_anon->cr_prison);
 	np->netc_numsecflavors = argp->ex_numsecflavors;
 	bcopy(argp->ex_secflavors, np->netc_secflavors,
 	    sizeof(np->netc_secflavors));

--nextPart86592338.0ko45tJjV3--

--nextPart1977332.vslOlgHxSZ
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part.
Content-Transfer-Encoding: 7Bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCQAdFiEEmNCxHjkosai0LYIujKEwQJceJicFAmcnVKIACgkQjKEwQJce
JieGVhAAsPXb7nT5upWhApQjVKFeAbzKhQKNZ84pYzdpPJ0UEFb82TwG46ex4scA
axeE8qn5HGnSqLk4VO+KRsbLjEcsxQWJ4vB0t0uO/bZz5HlYD4FYg/+OS7m6uY+6
Wd4Mf7NHs2fvP0Dy7+8y80tRuXYssTGKKWkIMfclC84vXnDtE9FdZZxNT0/+2WGO
6ZH6tewyd3BQDIpmyzWOE/7/AfRBUIFP1hvJH7PXVhrra6dTXJxtx1zCVozEOzBz
lcPv6GVf6lnrIvpDc35Yy6JybQ4BTPGHLrGd7w25dyswSqr+qvjRSE/oqW9M4e4T
LpEIHO2A4gIVnt7OsyiAltAOI2PfTpFQWtFeAJp9GFZS4v74jACxKo+LmMRQ8x6/
xDM+sEgVCZQlsI1oPN1gbiyYLgdT6Y76jJek55KSEUDSAoKdurT2XxLs8Pa+GHmA
CawNoLLCNUTd8Qn2+4eHbVDFX/3/8nYUQiAQcHd6VmR67gFQTOO1JF8Fa7X0xY9J
fVR1hemixWlfyoubWNe34YGWDYahmV3xCpYI7WJt1kPoj8m2VUmauun2UY0DHSnU
g8IVBQRTUJLfjiy7QTJodn5FmUp/J9dNoBxiklsVvw5HaTSQ8TOPbKT2ISQdzex+
oUolIjqnngvhBB1+cZrXYMxWxa2b828XzmFrOxV2cU2beJxIZaw=
=uSOS
-----END PGP SIGNATURE-----

--nextPart1977332.vslOlgHxSZ--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2884013.iL6vRArjjl>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact