[PATCH] disable nfsd (NFSv4) nobody/nogroup check

Loïc Blot loic.blot at unix-experience.fr
Tue Oct 14 10:34:41 UTC 2014 

Hi,
 since a recent problem (see thread NFSv4 nobody issue), i think we need a sysctl variable to disable nobody and nogroup check into the kernel (default enabled)
 This variable is useful in some situations, like TFTP over NFS, jails over NFS (some files like /var/db/locate.database need nobody user).

 I added vfs.nfsd.disable_nobodycheck and vfs.nfsd.disable_nogroupcheck to modify NFSv4 nobody/nogroup check.

 Thanks to Rick to tell me where the problem was.

 Can you review the patch, and add it to kernel to avoid previous mentionned issue.

 Here is my patch:

 --- sys/fs/nfsserver/nfs_nfsdsubs.c.orig    2014-10-14 12:03:50.163311506 +0200
 +++ sys/fs/nfsserver/nfs_nfsdsubs.c    2014-10-14 12:06:29.793304755 +0200
 @@ -62,9 +62,18 @@
  SYSCTL_DECL(_vfs_nfsd);
  
  static int    disable_checkutf8 = 0;
 +static int    disable_nobodycheck = 0;
 +static int    disable_nogroupcheck = 0;
  SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_checkutf8, CTLFLAG_RW,
      &disable_checkutf8, 0,
      "Disable the NFSv4 check for a UTF8 compliant name");
 +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nobodycheck, CTLFLAG_RW,
 +    &disable_nobodycheck, 0,
 +    "Disable the NFSv4 check when setting user nobody as owner");
 +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nogroupcheck, CTLFLAG_RW,
 +    &disable_nogroupcheck, 0,
 +    "Disable the NFSv4 check when setting group nogroup as owner");
 +
  
  static char nfsrv_hexdigit(char, int *);
  
 @@ -1543,8 +1552,8 @@
       */
      if (NFSVNO_NOTSETUID(nvap) && NFSVNO_NOTSETGID(nvap))
          goto out;
 -    if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid == nfsrv_defaultuid)
 -        || (NFSVNO_ISSETGID(nvap) && nvap->na_gid == nfsrv_defaultgid)) {
 +    if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid == nfsrv_defaultuid && disable_nobodycheck == 0)
 +        || (NFSVNO_ISSETGID(nvap) && nvap->na_gid == nfsrv_defaultgid && disable_nogroupcheck == 0)) {
          error = NFSERR_BADOWNER;
          goto out;
      }
 Regards,

 Loïc Blot,
 UNIX Systems, Network and Security Engineer
 http://www.unix-experience.fr

More information about the freebsd-fs mailing list