From nobody Sun Nov 03 10:46:58 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XhBB20sNTz5bqgD; Sun, 03 Nov 2024 10:47:06 +0000 (UTC) (envelope-from olce@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XhBB16T7fz4bg3; Sun, 3 Nov 2024 10:47:05 +0000 (UTC) (envelope-from olce@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1730630825; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=elDFDGiw02Fx9qNupKO6RWCGxLJ7A3yJt+MHuyRxI6M=; b=RAS7qx5nRq6fc32YtyJ87mm73MKfTmJmZqDOrEDmgnaeE1w0M8WwyPU0QIm5bh2g/9d/uV Df7dQe2Q5Lrr3LLg105afHuMxehHOBbcM8Mm+1pVtDy/sl5KOdaphWEAlOlZnsbqtAwE6r LZ3ywI+3Z1cQlLuO7BWihERDeD6xuZs+8Ux2TkyAS71hGnio60z6PVzfE8pzUKmNJlu69W I0MXY4X2Dgn414vMrLCo4pRxVTie6AhEaQXwhcMvY08HqW/VKZeKBVy69NO7hrqi8m748v SU8Oa+DB5sLg8Y3HAmlf/FL4F8MovYW/UTrAcTvo+09jgTIgRzJnB0kTKEiT3w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1730630825; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=elDFDGiw02Fx9qNupKO6RWCGxLJ7A3yJt+MHuyRxI6M=; b=ohjGKblKn0G0hpq9FU8icJ+tzIMwxu3uWo1NGm2WUw4yhVQnHb0HPARM/xoxIngfe8L+RW FaPa7+73Q1wJ41iW0DdZRHiScQbhdxYcng6XCxrjkiA75FK3WY3zY+xXX/Sm08KSO5yEAs VOxQP/YYLD1YhYZEldIpFnvPXpY6Yro/LOgOco4wWdgmNHy6q1I4Tgz+FRJboK+bILhm2N AVuCRLc2F9xCTAjdziABfwZUY8TumJJx339NahFae3mYm51tbYYXy0MigOuflg+DPfFGIA Gzd+YvC8qsOzGNs5TzTVnQ9qrqKYSIuOUsivHs4osA6+G3k+H+LoXLfZUng8dQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1730630825; a=rsa-sha256; cv=none; b=eH9Hn8wViGXWsf1pa877HCwWw9Dv0muXSmM/9pDxY83sVC8WbBYBCWFcsoy3Q82wC1iWWZ j7hsa+9pxQwxj2mGD38bti95oMSJn+Q/BQShKTJsAAUbUikc6q3Nxl5BVIZPvvAO1Picor HQKuZWlYEDcGX7nqh8GA5HS0aZkmA6UcliwKaOB1yqcmrj3jAyIbV7nZVaADW7EBvrv6qA 3K8l95HDkzw8iuN7M0HFUpqiAUUO01frtubTzAUxxkSBwTvkBFyTVVw2jFMwv1lHObdi9f eMaA4iUvFde6LrQUs+WAWIsGb2omYdzEZWb13EmNfR8EmHCbshzPncUfibeMGw== Received: from ravel.localnet (aclermont-ferrand-653-1-222-123.w90-14.abo.wanadoo.fr [90.14.66.123]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: olce/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4XhBB11g4Zz1GH1; Sun, 3 Nov 2024 10:47:05 +0000 (UTC) (envelope-from olce@freebsd.org) From: Olivier Certner To: Ravi Pokala , Cy Schubert Cc: src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Subject: Re: cfbe7a62dc62 - main - nfs, rpc: Ensure kernel credentials have at least one group Date: Sun, 03 Nov 2024 11:46:58 +0100 Message-ID: <2884013.iL6vRArjjl@ravel> In-Reply-To: <3070589.hHqAuc6tWs@ravel> References: <202411022039.4A2KdbAE046580@gitrepo.freebsd.org> <20241103065704.4377C114@slippy.cwsent.com> <3070589.hHqAuc6tWs@ravel> List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1977332.vslOlgHxSZ"; micalg="pgp-sha384"; protocol="application/pgp-signature" --nextPart1977332.vslOlgHxSZ Content-Type: multipart/mixed; boundary="nextPart86592338.0ko45tJjV3"; protected-headers="v1" Content-Transfer-Encoding: 7Bit From: Olivier Certner Date: Sun, 03 Nov 2024 11:46:58 +0100 Message-ID: <2884013.iL6vRArjjl@ravel> In-Reply-To: <3070589.hHqAuc6tWs@ravel> MIME-Version: 1.0 This is a multi-part message in MIME format. --nextPart86592338.0ko45tJjV3 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="UTF-8" Could you please test the attached patch and confirm it fixes the problems you're seeing? -- Olivier Certner --nextPart86592338.0ko45tJjV3 Content-Disposition: attachment; filename="0001-nfs-Fallback-to-GID_NOGROUP-on-no-groups.patch" Content-Transfer-Encoding: 7Bit Content-Type: text/x-patch; charset="x-UTF_8J"; name="0001-nfs-Fallback-to-GID_NOGROUP-on-no-groups.patch" From ab37cd80635b52f59fbce53f942cddd79002f233 Mon Sep 17 00:00:00 2001 From: Olivier Certner Date: Sun, 3 Nov 2024 11:26:37 +0100 Subject: [PATCH] nfs: Fallback to GID_NOGROUP on no groups We cannot unconditionally access nfsd's VNET variables in 'sys/kern/vfs_export.c' nor 'sys/fs/nfsserver/nfs_nfsdsubs.c', as they may not have been compiled in depending on build options. So, forget about the extra mile of using the configured default group and use the hardcoded GID_NOGROUP (which differs only on systems running nfsuserd(8) and with a non-default UID for their "nogroup" group). Fixes: cfbe7a62dc62 ("nfs, rpc: Ensure kernel credentials have at least one group") --- sys/fs/nfs/nfs_commonport.c | 3 +-- sys/fs/nfs/nfs_commonsubs.c | 2 +- sys/kern/vfs_export.c | 9 +++------ 3 files changed, 5 insertions(+), 9 deletions(-) diff --git a/sys/fs/nfs/nfs_commonport.c b/sys/fs/nfs/nfs_commonport.c index 11f31d1a0e9f..0c94f4e7dc52 100644 --- a/sys/fs/nfs/nfs_commonport.c +++ b/sys/fs/nfs/nfs_commonport.c @@ -73,11 +73,10 @@ uint32_t nfs_srvmaxio = NFS_SRVMAXIO; NFSD_VNET_DEFINE(struct nfsstatsv1 *, nfsstatsv1_p); NFSD_VNET_DECLARE(struct nfssockreq, nfsrv_nfsuserdsock); NFSD_VNET_DECLARE(nfsuserd_state, nfsrv_nfsuserd); -NFSD_VNET_DECLARE(gid_t, nfsrv_defaultgid); int nfs_pnfsio(task_fn_t *, void *); static int nfs_realign_test; static int nfs_realign_count; @@ -258,11 +257,11 @@ newnfs_copycred(struct nfscred *nfscr, struct ucred *cr) KASSERT(nfscr->nfsc_ngroups >= 0, ("newnfs_copycred: negative nfsc_ngroups")); cr->cr_uid = nfscr->nfsc_uid; crsetgroups_fallback(cr, nfscr->nfsc_ngroups, nfscr->nfsc_groups, - NFSD_VNET(nfsrv_defaultgid)); + GID_NOGROUP); } /* * Map args from nfsmsleep() to msleep(). */ diff --git a/sys/fs/nfs/nfs_commonsubs.c b/sys/fs/nfs/nfs_commonsubs.c index ce4b0052714e..81c558d768ea 100644 --- a/sys/fs/nfs/nfs_commonsubs.c +++ b/sys/fs/nfs/nfs_commonsubs.c @@ -4050,11 +4050,11 @@ nfssvc_idname(struct nfsd_idargs *nidp) * but using the group list provided. */ cr = crget(); cr->cr_uid = cr->cr_ruid = cr->cr_svuid = nidp->nid_uid; crsetgroups_fallback(cr, nidp->nid_ngroup, grps, - NFSD_VNET(nfsrv_defaultgid)); + GID_NOGROUP); cr->cr_rgid = cr->cr_svgid = cr->cr_gid; cr->cr_prison = curthread->td_ucred->cr_prison; prison_hold(cr->cr_prison); #ifdef MAC mac_cred_associate_nfsd(cr); diff --git a/sys/kern/vfs_export.c b/sys/kern/vfs_export.c index c0337b1fe858..a314bda164de 100644 --- a/sys/kern/vfs_export.c +++ b/sys/kern/vfs_export.c @@ -38,10 +38,11 @@ #include "opt_inet.h" #include "opt_inet6.h" #include #include +#include #include #include #include #include #include @@ -59,14 +60,10 @@ #include #include #include -#include - -NFSD_VNET_DECLARE(gid_t, nfsrv_defaultgid); - static MALLOC_DEFINE(M_NETADDR, "export_host", "Export host address structure"); #if defined(INET) || defined(INET6) static struct radix_node_head *vfs_create_addrlist_af( struct radix_node_head **prnh, int off); @@ -136,11 +133,11 @@ vfs_hang_addrlist(struct mount *mp, struct netexport *nep, np = &nep->ne_defexported; np->netc_exflags = argp->ex_flags; np->netc_anon = crget(); np->netc_anon->cr_uid = argp->ex_uid; crsetgroups_fallback(np->netc_anon, argp->ex_ngroups, - argp->ex_groups, NFSD_VNET(nfsrv_defaultgid)); + argp->ex_groups, GID_NOGROUP); np->netc_anon->cr_prison = &prison0; prison_hold(np->netc_anon->cr_prison); np->netc_numsecflavors = argp->ex_numsecflavors; bcopy(argp->ex_secflavors, np->netc_secflavors, sizeof(np->netc_secflavors)); @@ -215,11 +212,11 @@ vfs_hang_addrlist(struct mount *mp, struct netexport *nep, } np->netc_exflags = argp->ex_flags; np->netc_anon = crget(); np->netc_anon->cr_uid = argp->ex_uid; crsetgroups_fallback(np->netc_anon, argp->ex_ngroups, argp->ex_groups, - NFSD_VNET(nfsrv_defaultgid)); + GID_NOGROUP); np->netc_anon->cr_prison = &prison0; prison_hold(np->netc_anon->cr_prison); np->netc_numsecflavors = argp->ex_numsecflavors; bcopy(argp->ex_secflavors, np->netc_secflavors, sizeof(np->netc_secflavors)); --nextPart86592338.0ko45tJjV3-- --nextPart1977332.vslOlgHxSZ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iQIzBAABCQAdFiEEmNCxHjkosai0LYIujKEwQJceJicFAmcnVKIACgkQjKEwQJce JieGVhAAsPXb7nT5upWhApQjVKFeAbzKhQKNZ84pYzdpPJ0UEFb82TwG46ex4scA axeE8qn5HGnSqLk4VO+KRsbLjEcsxQWJ4vB0t0uO/bZz5HlYD4FYg/+OS7m6uY+6 Wd4Mf7NHs2fvP0Dy7+8y80tRuXYssTGKKWkIMfclC84vXnDtE9FdZZxNT0/+2WGO 6ZH6tewyd3BQDIpmyzWOE/7/AfRBUIFP1hvJH7PXVhrra6dTXJxtx1zCVozEOzBz lcPv6GVf6lnrIvpDc35Yy6JybQ4BTPGHLrGd7w25dyswSqr+qvjRSE/oqW9M4e4T LpEIHO2A4gIVnt7OsyiAltAOI2PfTpFQWtFeAJp9GFZS4v74jACxKo+LmMRQ8x6/ xDM+sEgVCZQlsI1oPN1gbiyYLgdT6Y76jJek55KSEUDSAoKdurT2XxLs8Pa+GHmA CawNoLLCNUTd8Qn2+4eHbVDFX/3/8nYUQiAQcHd6VmR67gFQTOO1JF8Fa7X0xY9J fVR1hemixWlfyoubWNe34YGWDYahmV3xCpYI7WJt1kPoj8m2VUmauun2UY0DHSnU g8IVBQRTUJLfjiy7QTJodn5FmUp/J9dNoBxiklsVvw5HaTSQ8TOPbKT2ISQdzex+ oUolIjqnngvhBB1+cZrXYMxWxa2b828XzmFrOxV2cU2beJxIZaw= =uSOS -----END PGP SIGNATURE----- --nextPart1977332.vslOlgHxSZ--