Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 9 Jul 2017 19:57:22 +0000
From:      Rick Macklem <rmacklem@uoguelph.ca>
To:        "freebsd-current@freebsd.org" <freebsd-current@freebsd.org>
Cc:        "rc@freebsd.org" <rc@freebsd.org>
Subject:   small patch for /etc/rc.d/nfsd, bugfix or POLA violation?
Message-ID:  <YTXPR01MB0189F5614497D4FA96A7579ADDA80@YTXPR01MB0189.CANPRD01.PROD.OUTLOOK.COM>
next in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
Hi,

The attached one line patch to /etc/rc.d/nfsd modifies the script so that it
does not force the nfsuserd to be run when nfsv4_server_enable is set.
(nfsuserd can still be enabled via nfsuserd_enable="YES" is /etc/rc.conf.)

Here's why I think this patch might be appropriate...
(a) - The original RFC for NFSv4 (RFC3530) essentially required Owners and
   Owner_groups to be specified as <user>@<domain> and this required
   the nfsuserd daemon to be running.
(b) - RFC7530, which replace RFC3530, allows a Owner/Owner_group string to be
  the uid/gid number in a string when using AUTH_SYS. This simplifies configuration
  for an all AUTH_SYS/POSIX environment (most NFS uses, I suspect?).

To make the server do (b), two things need to be done:
1 - set vfs.nfsd.enable_stringtouid=1
2 - set vfs.nfsd.enable_uidtostring=1 (for head, I don't know if it will be MFC'd?)
OR
  - never run nfsuserd after booting (killing it off after it has been running is not
    sufficient)
  
Given the above, it would seem that /etc/rc.d/nfsd should not force running of
the nfsuserd daemon, due to changes in the protocol.

However, this will result in a POLA violation, in that after the patch, nfsuserd won't
start when booting, unless nfsuserd_enable="YES" is added to /etc/rc.conf.

So, what do people think about this patch? rick
[-- Attachment #2 --]
--- nfsd.sav	2017-07-09 15:33:08.416383000 -0400
+++ nfsd	2017-07-09 15:33:42.577057000 -0400
@@ -33,8 +33,7 @@ nfsd_precmd()
 		sysctl vfs.nfsd.nfs_privport=0 > /dev/null
 	fi
 
-	if checkyesno nfsv4_server_enable || \
-	    checkyesno nfs_server_managegids; then
+	if checkyesno nfs_server_managegids; then
 		force_depend nfsuserd || err 1 "Cannot run nfsuserd"
 	fi

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YTXPR01MB0189F5614497D4FA96A7579ADDA80>