Date: Wed, 15 Oct 2014 19:46:05 -0400 (EDT) From: Rick Macklem <rmacklem@uoguelph.ca> To: araujo@FreeBSD.org Cc: freebsd-fs@freebsd.org Subject: Re: [PATCH] disable nfsd (NFSv4) nobody/nogroup check Message-ID: <1865571459.65576954.1413416765814.JavaMail.root@uoguelph.ca> In-Reply-To: <CAOfEmZhFgx21qa3W_mx9%2B3ERT-_yU1gqJHxviUWXWTh8Dxnt1A@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Marcelo Araujo wrote:
>=20
> Hello Ronald and Blot,
>=20
>=20
>=20
> Here is the patch with a small rework. I consider Ronaldo's comments
> as well as I just change a bit the code style.
>=20
>=20
> If you guys agree with the patch, I will commit it today.
>=20
Looks fine to me.
>=20
> Note: About the disable_utf8 that Rick has mention, I will rework
> that part later to make it as enable_utf8 instead of disable_utf8.
>=20
If you do change this one, try to include something in the description
string w.r.t. RFC-3530 requires it to be enabled.
Thanks, rick
>=20
> Best Regards,
>=20
>=20
> 2014-10-14 20:12 GMT+08:00 Marcelo Araujo < araujobsdport@gmail.com >
> :
>=20
>=20
>=20
> Hello All,
>=20
>=20
> Before I commit it, I will double check what is the best way.
> Thanks Ronald to point it out.
>=20
>=20
> Best Regards,
>=20
>=20
>=20
>=20
> 2014-10-14 20:09 GMT+08:00 Rick Macklem < rmacklem@uoguelph.ca > :
>=20
>=20
> Ronald Klop wrote:
> > I thought it is advised to make settings positively defined. So not
> > use
> > 'disable =3D 1', but 'enable =3D 0'.
> >=20
> For the case of disable_utf8, I made it negative, since disabling the
> check violates RFC-3530. For these checks, there isn't anything in
> the
> RFC requiring the check AFAIK, so I personally don't care which way
> they
> are done. (If the default is disabling the check that could be a
> minor POLA
> violation.)
>=20
> So, you guys choose whichever you prefer to commit, rick
>=20
>=20
>=20
> > Ronald.
> >=20
> >=20
> > On Tue, 14 Oct 2014 12:46:25 +0200, Marcelo Araujo
> > < araujobsdport@gmail.com > wrote:
> >=20
> > > Hello Blot,
> > >=20
> > > The patch looks reasonable.
> > > As per the email thread, seems a good approach to overcome this
> > > issue, at
> > > least for now.
> > >=20
> > > If Rick has no objection and no free time, I can commit the patch
> > > during
> > > this week.
> > >=20
> > > Best Regards,
> > >=20
> > > 2014-10-14 18:34 GMT+08:00 Lo=C3=AFc Blot
> > > < loic.blot@unix-experience.fr >:
> > >=20
> > >> Hi,
> > >> since a recent problem (see thread NFSv4 nobody issue), i think
> > >> we
> > >> need a
> > >> sysctl variable to disable nobody and nogroup check into the
> > >> kernel
> > >> (default enabled)
> > >> This variable is useful in some situations, like TFTP over NFS,
> > >> jails
> > >> over NFS (some files like /var/db/locate.database need nobody
> > >> user).
> > >>=20
> > >> I added vfs.nfsd.disable_nobodycheck and
> > >> vfs.nfsd.disable_nogroupcheck
> > >> to
> > >> modify NFSv4 nobody/nogroup check.
> > >>=20
> > >> Thanks to Rick to tell me where the problem was.
> > >>=20
> > >> Can you review the patch, and add it to kernel to avoid previous
> > >> mentionned issue.
> > >>=20
> > >> Here is my patch:
> > >>=20
> > >> --- sys/fs/nfsserver/nfs_nfsdsubs.c.orig 2014-10-14
> > >> 12:03:50.163311506
> > >> +0200
> > >> +++ sys/fs/nfsserver/nfs_nfsdsubs.c 2014-10-14
> > >> 12:06:29.793304755
> > >> +0200
> > >> @@ -62,9 +62,18 @@
> > >> SYSCTL_DECL(_vfs_nfsd);
> > >>=20
> > >> static int disable_checkutf8 =3D 0;
> > >> +static int disable_nobodycheck =3D 0;
> > >> +static int disable_nogroupcheck =3D 0;
> > >> SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_checkutf8, CTLFLAG_RW,
> > >> &disable_checkutf8, 0,
> > >> "Disable the NFSv4 check for a UTF8 compliant name");
> > >> +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nobodycheck,
> > >> CTLFLAG_RW,
> > >> + &disable_nobodycheck, 0,
> > >> + "Disable the NFSv4 check when setting user nobody as
> > >> owner");
> > >> +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nogroupcheck,
> > >> CTLFLAG_RW,
> > >> + &disable_nogroupcheck, 0,
> > >> + "Disable the NFSv4 check when setting group nogroup as
> > >> owner");
> > >> +
> > >>=20
> > >> static char nfsrv_hexdigit(char, int *);
> > >>=20
> > >> @@ -1543,8 +1552,8 @@
> > >> */
> > >> if (NFSVNO_NOTSETUID(nvap) && NFSVNO_NOTSETGID(nvap))
> > >> goto out;
> > >> - if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid =3D=3D
> > >> nfsrv_defaultuid)
> > >> - || (NFSVNO_ISSETGID(nvap) && nvap->na_gid =3D=3D
> > >> nfsrv_defaultgid)) {
> > >> + if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid =3D=3D
> > >> nfsrv_defaultuid &&
> > >> disable_nobodycheck =3D=3D 0)
> > >> + || (NFSVNO_ISSETGID(nvap) && nvap->na_gid =3D=3D
> > >> nfsrv_defaultgid
> > >> &&
> > >> disable_nogroupcheck =3D=3D 0)) {
> > >> error =3D NFSERR_BADOWNER;
> > >> goto out;
> > >> }
> > >> Regards,
> > >>=20
> > >> Lo=C3=AFc Blot,
> > >> UNIX Systems, Network and Security Engineer
> > >> http://www.unix-experience.fr
> > >> _______________________________________________
> > >> freebsd-fs@freebsd.org mailing list
> > >> http://lists.freebsd.org/mailman/listinfo/freebsd-fs
> > >> To unsubscribe, send any mail to
> > >> " freebsd-fs-unsubscribe@freebsd.org "
> > >=20
> > >=20
> > >=20
> > _______________________________________________
> > freebsd-fs@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-fs
> > To unsubscribe, send any mail to "
> > freebsd-fs-unsubscribe@freebsd.org "
> >=20
>=20
>=20
>=20
>=20
> --
>=20
>=20
>=20
>=20
> --
> Marcelo Araujo (__) araujo@FreeBSD.org \\\'',)
> http://www.FreeBSD.org \/ \ ^
> Power To Server. .\. /_)
>=20
>=20
>=20
> --
>=20
>=20
>=20
>=20
> --
> Marcelo Araujo (__) araujo@FreeBSD.org \\\'',)
> http://www.FreeBSD.org \/ \ ^
> Power To Server. .\. /_)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1865571459.65576954.1413416765814.JavaMail.root>