From owner-freebsd-stable@FreeBSD.ORG Fri Mar 16 20:13:08 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 713E01065670 for ; Fri, 16 Mar 2012 20:13:08 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) by mx1.freebsd.org (Postfix) with ESMTP id 29B258FC0C for ; Fri, 16 Mar 2012 20:13:08 +0000 (UTC) Received: from slw by zxy.spb.ru with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1S8dWm-000Fn0-G3; Sat, 17 Mar 2012 00:13:32 +0400 Date: Sat, 17 Mar 2012 00:13:32 +0400 From: Slawa Olhovchenkov To: "Patrick M. Hausen" Message-ID: <20120316201332.GN97848@zxy.spb.ru> References: <20120316172006.GM97848@zxy.spb.ru> <20120316174233.GN52973@zxy.spb.ru> <114CC851-7F85-470D-B203-5B2E9E35B7BD@punkt.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <114CC851-7F85-470D-B203-5B2E9E35B7BD@punkt.de> User-Agent: Mutt/1.5.21 (2010-09-15) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false Cc: freebsd-stable@freebsd.org Subject: Re: ZFS & NFS X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Mar 2012 20:13:08 -0000 On Fri, Mar 16, 2012 at 07:34:56PM +0100, Patrick M. Hausen wrote: > Hello, > > Am 16.03.2012 um 18:42 schrieb Slawa Olhovchenkov: > > On Fri, Mar 16, 2012 at 06:32:43PM +0100, Patrick M. Hausen wrote: > > > >> Hello, > >> > >> Am 16.03.2012 um 18:20 schrieb Slawa Olhovchenkov: > >>> I do NFSv3 export of ZFS. > >>> root from remote host create files on ZFS witch uid 2^32-2: > >>> > >>> # ls -l /usr/ports/packages32/ > >>> total 6 > >>> drwxr-xr-x 2 4294967294 wheel 5 Mar 17 00:57 All > >>> drwxr-xr-x 2 4294967294 wheel 5 Mar 17 00:57 Latest > >>> drwxr-xr-x 2 4294967294 wheel 3 Mar 17 00:52 archivers > >>> drwxr-xr-x 2 4294967294 wheel 4 Mar 17 00:57 lang > >> > >> > >> Yes? This is expected behaviour of NFS. If you don't want that, try > >> > >> -maproot=root > >> > >> either in sharenfs option to zfs or /etc/exports, whichever it is you are using. > > > > hmm... > > nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin > > > > 65534 != 4294967294 (2^16-2 != 2^32-2) > > > > Also, I am think ZFS+NFS will be wrong for UID>2^15. > > I admit I overlooked that one (16 vs 32 bits). But if I'm not mistaken, NFS does not care > a bit about the name of the user "nobody" or the UID in /etc/passwd or what-have-you. > It simply sets the UID of remote root (UID 0) to the value -1. https://blogs.oracle.com/taylor22/entry/nfs_root_access_on_sun === In a default configuration, a Solaris NFS server maps "root" access to "nobody". === http://pubs.opengroup.org/onlinepubs/9629799/chap12.htm#tagcjh_13_03_03 === In some operating systems, a particular user (on UNIX systems, the user ID 0) has access to all files, no matter what permission and ownership they have. This super-user permission might not be allowed on the server, since anyone who can become super-user on their client could gain access to all remote files. A UNIX server by default maps user ID 0 to a distinguished value (UID_NOBODY), as well as mapping the groups list, before doing its access checking. A server implementation may provide a mechanism to change this mapping. This works except for NFS Version 3 protocol root file systems (required for diskless NFS Version 3 protocol client support), where super-user access cannot be avoided. Export options are used, on the server, to restrict the set of clients allowed super-user access. === /usr/include/sys/_types.h:typedef __uint32_t __uid_t; > And 4294967294 happens to be -1 in 32 bits signed. So - possibly this is built into > ZFS this way. I would at least give the sharenfs="..." options a try ... 4294967294 happens to be -2 in 32 bits signed. And I see type of UID (uid_t) is unsigned.