Date: Sun, 21 Feb 2010 12:02:28 +0200 From: Daniel Braniss <danny@cs.huji.ac.il> To: Jeremy Chadwick <freebsd@jdc.parodius.com> Cc: freebsd-stable@freebsd.org Subject: Re: RELENG_8 -- NFSv3 credentials/permissions issue Message-ID: <E1Nj8dw-0009FM-U1@kabab.cs.huji.ac.il> In-Reply-To: <20100221074606.GA49241@icarus.home.lan> References: <20100219191102.GA1045@icarus.home.lan> <E1Nj6CH-0005fP-Uh@kabab.cs.huji.ac.il> <20100221074606.GA49241@icarus.home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Sun, Feb 21, 2010 at 09:25:45AM +0200, Daniel Braniss wrote:
> > > I'm willing to bet this is something simple I've overlooked, but I'm out
> > > of ideas. Client is 8.0-RELEASE i386, server is 8.0-STABLE amd64
> > > (kernel/world 2010/01/16). NFS version used is v3. Server filesystem
> > > is UFS2.
> > at boot time, the NFS is V2!, if the server is FreeBSD it can be upgraded
> > later in the boot progress to V3
> > >
> > > Client configuration is off-kilter: it's a PXE booted machine. Initial
> > > PXE booting uses TFTP, then switches to NFS to load the kernel and
> > > kernel modules. The TFTP part works, with a caveat[1], but the NFS
> > > portion fails.
> > TFTP is as old as the Internet, so it mostly works, and security was in dipers,
> > so the T for trivial also means un-secure :-)
> > >
> > > With NFS, I'm forced to change permissions on all the exported
> > > files/directories to be 0644/0755 (specifically, setting other/global
> > > read/write access) otherwise the client gets back "Permission denied".
> > > The nfsd(8) man page implies that this shouldn't be necessary; adding
> > > -mapall=nobody:nobody or -maproot=nobody doesn't fix things either.
> > >
> > why not use -maproot=root?
> > by adding -ro, the client will be able to read but not modify.
> > That's what we do here, the /etc is mounted via unionfs to a md, but
> > that is yet another solution.
>
> I'll have to try that (shouldn't take me long), but I remember messing
> with -maproot and -mapall both and wasn't able to get anywhere. I'll
> try again and report back.
>
> > > Configuration data, tcpdump validation (client=192.168.1.140,
> > > server=192.168.1.51), and syslog data is below.
> > >
> > > Ideas?
> > >
> > > [1]: TFTP works as long as the file its trying to request (in this case
> > > /usr/local/freebsd8/boot/pxeboot) has its other/global read bit set,
> > > otherwise EACCESS is returned; I had to look in the tftpd source to
> > > figure this out. I'm not sure what the justification is there, given
> > > that use of -s and/or -u switches credentials to user/group nobody...
> > >
> > only root can read a file with mode 0, so you need to set the read bit for
> > any non root user.
>
> I'm not sure if you're referring to NFS here, or my TFTP comment. My
> TFTP comment should be discussed elsewhere -- it's broken/odd behaviour,
> but the workaround for TFTP (to set the file permissions to 0644 for
> read) I'm fine with -- it's TFTP! :-)
>
if the owner does not have read permition, it wont be able to read the file,
no matter that the other read bits are enabled.
% date > 0
% chmod 04 0
% cat 0
cat: 0: Permission denied
% chmod 040 0
% cat 0
cat: 0: Permission denied
% chmod 0400 0
% cat 0
Sun Feb 21 11:47:32 IST 2010
%
this answers the TFTP problem.
> With regards to NFS: none of the files below are mode 0000. The request
> made via NFS should have gotten "translated" to being done by
> nobody:nobody on the NFS server, since there's no -mapall or -maproot
> line in the exports; user nobody has read access to everything shown
> below, so "Permission denied" makes no sense.
>
as I mentioned before/above, maybe not so clearly, the initial NFS transactions
are done via NFS/V2 - which is problematic/broken[1], and so probably
the access permitions are not exactly what we expect.
[1]: rm /any-file in a read-only exported fs will hang the client
> > > Permissions
> > > =============
> > > drwxr-xr-x 22 root wheel 512 Feb 6 12:25 /
> > > drwxr-xr-x 17 root wheel 512 Feb 12 03:38 /usr
> > > drwxr-xr-x 15 root wheel 512 Feb 19 10:41 /usr/local
> > > drwx------ 5 nobody nobody 512 Feb 19 10:42 /usr/local/freebsd8
> > > drwx------ 7 nobody nobody 1024 Nov 21 08:11 /usr/local/freebsd8/boot
> > > drwx------ 2 nobody nobody 12800 Nov 21 08:11 /usr/local/freebsd8/boot/kernel
> > > -r-------- 1 nobody nobody 11492703 Nov 21 07:48 /usr/local/freebsd8/boot/kernel/kernel
> > >
> > > tcpdump
> > > =========
> > > {...snipping TFTP portion...}
> > > 10:57:20.601313 IP 192.168.1.140.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:30:48:71:60:6b, length 548
> > > 10:57:20.601442 IP 192.168.1.51.67 > 192.168.1.140.68: BOOTP/DHCP, Reply, length 323
> > > 10:57:20.601688 IP 192.168.1.140.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:30:48:71:60:6b, length 548
> > > 10:57:20.601782 IP 192.168.1.51.67 > 192.168.1.140.68: BOOTP/DHCP, Reply, length 323
> > > 10:57:20.613056 IP 192.168.1.140.1023 > 192.168.1.51.111: UDP, length 76
> > > 10:57:20.613369 IP 192.168.1.51.111 > 192.168.1.140.1023: UDP, length 28
> > > 10:57:20.613556 IP 192.168.1.140.1023 > 192.168.1.51.947: UDP, length 84
> > > 10:57:20.613921 IP 192.168.1.51.947 > 192.168.1.140.1023: UDP, length 60
> > > 10:57:20.614055 IP 192.168.1.140.1023 > 192.168.1.51.111: UDP, length 76
> > > 10:57:20.614291 IP 192.168.1.51.111 > 192.168.1.140.1023: UDP, length 28
> > > 10:57:20.614432 IP 192.168.1.140.4 > 192.168.1.51.2049: 100 lookup fh 1197,150310/6618112 "boot"
> > > 10:57:20.614458 IP 192.168.1.51.2049 > 192.168.1.140.4: reply ok 28 lookup ERROR: Permission denied
> > > 10:57:20.615436 IP 192.168.1.140.1022 > 192.168.1.51.947: UDP, length 84
> > > 10:57:20.615677 IP 192.168.1.51.947 > 192.168.1.140.1022: UDP, length 60
> > > 10:57:20.615806 IP 192.168.1.140.6 > 192.168.1.51.2049: 100 lookup fh 1197,150310/6618112 "boot"
> > > 10:57:20.615824 IP 192.168.1.51.2049 > 192.168.1.140.6: reply ok 28 lookup ERROR: Permission denied
> > > 10:57:20.615929 IP 192.168.1.140.1021 > 192.168.1.51.947: UDP, length 84
> > > 10:57:20.616164 IP 192.168.1.51.947 > 192.168.1.140.1021: UDP, length 60
> > > 10:57:20.616308 IP 192.168.1.140.8 > 192.168.1.51.2049: 100 lookup fh 1197,150310/6618112 "boot"
> > > 10:57:20.616327 IP 192.168.1.51.2049 > 192.168.1.140.8: reply ok 28 lookup ERROR: Permission denied
> > > 10:57:20.616428 IP 192.168.1.140.1020 > 192.168.1.51.947: UDP, length 84
> > > 10:57:20.616660 IP 192.168.1.51.947 > 192.168.1.140.1020: UDP, length 60
> > > {...repeat until client gives up...}
>
> --
> | Jeremy Chadwick jdc@parodius.com |
> | Parodius Networking http://www.parodius.com/ |
> | UNIX Systems Administrator Mountain View, CA, USA |
> | Making life hard for others since 1977. PGP: 4BD6C0CB |
>
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1Nj8dw-0009FM-U1>