From nobody Mon Oct 14 19:48:08 2024 X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XS77n0yrqz5Z3jd; Mon, 14 Oct 2024 19:48:21 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XS77m2zYxz4twd; Mon, 14 Oct 2024 19:48:20 +0000 (UTC) (envelope-from rick.macklem@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20230601 header.b=A6A+SF1N; spf=pass (mx1.freebsd.org: domain of rick.macklem@gmail.com designates 2a00:1450:4864:20::531 as permitted sender) smtp.mailfrom=rick.macklem@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-ed1-x531.google.com with SMTP id 4fb4d7f45d1cf-5c9850ae22eso1171456a12.3; Mon, 14 Oct 2024 12:48:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1728935299; x=1729540099; darn=freebsd.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=QAfLiAW+oeT/wBq/Bnr7oYKOJkAvGGw8oTxMi7nKZSs=; b=A6A+SF1NquQd8VH53OptPYkElg3lNNBQ433O84pkhUWvxdnKFIjiu8CCkeBvTGYohU 7rXgwbEh1r3hlQFu5I75ylcHWQeUvalOy+iSM3ClaNWYkqLlwHCB0eI7q4N5hk/+ojUT /AG8mYvtVL812kbEWzK7YUFjRN3SVSV6d+wYJTsDdLuSUGRfEjeVR2u1Vvn+Nv4vC6MP 6YlpH6EmqN3J+mjm9riGgXwjOt/x1Uey3uU1U5Vwu5Lsiax8qPz6ia0pgShDcA1JhzBY mtRISczkd4aRj9ORS92Pxwv9XbDZKAQlMEzqVb0shVjcJEe3muMU4Up2te6N36dloai9 mWkQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728935299; x=1729540099; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=QAfLiAW+oeT/wBq/Bnr7oYKOJkAvGGw8oTxMi7nKZSs=; b=n3DGnPfHEHrLjIbe6Sv3VV/0R7irmAD1ZcPoG623ogJdx7xmpTqd2MFVd9RSl7yWSd SzwIEvfRiB6TG6VyEJZDMvrAxOpGW94DAFWtREjV5lLLjLzSBh1D85KE1Q1Bsu0xsFSU P8TYeQc3ftum4cbdwrahoqRMleLwd1ioZ3mgkaB4Gmzqg045hkrIllXumwJDYBmD25zo tOKO/7LJEEG91eKJxHc90UyeJpeGLSfI5vyo+h+PRP3i/wxaIJ8doiJJN3yoH31tda+l JZVuS305xCPV9ndmIdl7f0fnWBUvvo6nnogI70ifxZdrcRxAPF5xz0SWqCX0vgapfCRx it4g== X-Forwarded-Encrypted: i=1; AJvYcCUIDYpsSVSNnPQnn9QdxtT5sf0uc2eNRYWlVr1WGvVruC/WLL78xZzaabgmrtHKuna6arc=@freebsd.org, AJvYcCVWznQOSbfZXj5ncbkTbUKoaeS+pzFQfl6X2hZ1ouACN0Vdlavryd2yN20QAXUgmm6paRrZAqA=@freebsd.org, AJvYcCW0pRAgpaqTpdl0y8IhqF1q9v40cWCVrHTclqevinpdXNhwLFUe4AYPbFrldcUPxSXxtAXH1w==@freebsd.org X-Gm-Message-State: AOJu0Yw7W6TNbkOo7DXUm3cWm0RahNL/zGUo+yDok8Q8+bc1h3vs0JC3 C7WBT2d0DSTfRZsa1coXhZF920mbmVM1SU5LHHiPjnN7kAi0gmHa2EGhoGyOsg5GWK7JvwFsJSa ASz8/PLobSOo7gUMgI7SsIzZ2bVnTuBs= X-Google-Smtp-Source: AGHT+IFKK0DdycVNbOJDCvMUEtukWDDj3L3Z8qLCBY7WrORcSZB7yXiqAXB/RX6nK37C8ir5fqURcXdOndX6aniCiB8= X-Received: by 2002:a05:6402:2113:b0:5c9:634c:8eb7 with SMTP id 4fb4d7f45d1cf-5c9634c918fmr6994336a12.28.1728935298546; Mon, 14 Oct 2024 12:48:18 -0700 (PDT) List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-stable@freebsd.org Sender: owner-freebsd-stable@FreeBSD.org MIME-Version: 1.0 From: Rick Macklem Date: Mon, 14 Oct 2024 12:48:08 -0700 Message-ID: Subject: NFS server credentials with cr_ngroups == 0 To: FreeBSD CURRENT Cc: freebsd-stable@freebsd.org, Olivier Certner , Brooks Davis , so@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Spamd-Result: default: False [-4.00 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.996]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20230601]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_TLS_LAST(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::531:from]; TO_DN_SOME(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; FREEMAIL_FROM(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_FIVE(0.00)[5]; MID_RHS_MATCH_FROMTLD(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; TAGGED_FROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org,freebsd-stable@freebsd.org]; RCVD_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; MISSING_XM_UA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com] X-Rspamd-Queue-Id: 4XS77m2zYxz4twd X-Spamd-Bar: --- olce@ reported an issue where the credentials used for mapped user exports (for the NFS server) could have cr_ngroups == 0. At first I thought this was a mountd bug, but he pointed out the exports(5) manpage, which says: Note that user: should be used to distinguish a credential containing no groups from a complete credential for that user. The group names may be quoted, or use backslash escaping. As such, this is not just an allowed case, but a documented one. (This snippet from exports(5) goes all the way back to May 1994 when the man page was imported from 4.4BSD Lite.) Note that these credentials are not POSIX syscall ones. They are used specifically by the NFS server for file access. The good news is that the current main sources appear to always funnel down into groupmember() to check this. The not so good news is that commit 7f92e57 (Jun 20, 2009) broke groupmember() for the case where cr_ngroups == 0, assuming there would always be at least one group (cr_groups[0] or cr_gid, if you prefer). So, what should we do about this? #1 A simple patch can be applied to groupmember() and a couple of places in the NFS server code, so that cr_ngroups == 0 again works correctly for this case. #2 Decide that cr_ngroups == 0 should no longer be supported and patch accordingly. OR ??? Personally, I am thinking that #1 should be done right away and MFC'd to stable/14 and stable/13 so that the currently documented behaviour is supported for FreeBSD 13 and FreeBSD14. (To do otherwise would seem to be a POLA violation to me.) Then, the FreeBSD community needs to decide if #2 should be done (or document that the cr_ngroups == 0 case needs to work correctly). Please respond with your opinion w.r.t. how to handle this. Note that if a file with these pemissions: rw-r----- 1 root games 409 Dec 30 2023 foo were exported to a client with the following exports(5) line: /home -sec=sys -maproot=1001: Then, "root" on an NFS mounted client tried to read the file, the attempt should fail (assuming root in not a member of games). However, if cr_groups[0] just happened to have 13 in it (it is random junk when cr_ngroups == 0), the read would succeed. --> This vulnerability can be avoided by never using the syntax "=:" for -maproot or -mapall in /etc/exports. Should so@ do some sort of announcement w.r.t. this? Thanks in advance for your comments, rick ps: Yes, I cross posted, since I wanted both developers and users to see this.