[PATCH] disable nfsd (NFSv4) nobody/nogroup check

Ronald Klop ronald-lists at klop.ws
Tue Oct 14 12:04:12 UTC 2014 

I thought it is advised to make settings positively defined. So not use  
'disable = 1', but 'enable = 0'.

Ronald.


On Tue, 14 Oct 2014 12:46:25 +0200, Marcelo Araujo  
<araujobsdport at gmail.com> wrote:

> Hello Blot,
>
> The patch looks reasonable.
> As per the email thread, seems a good approach to overcome this issue, at
> least for now.
>
> If Rick has no objection and no free time, I can commit the patch during
> this week.
>
> Best Regards,
>
> 2014-10-14 18:34 GMT+08:00 Loïc Blot <loic.blot at unix-experience.fr>:
>
>> Hi,
>>  since a recent problem (see thread NFSv4 nobody issue), i think we  
>> need a
>> sysctl variable to disable nobody and nogroup check into the kernel
>> (default enabled)
>>  This variable is useful in some situations, like TFTP over NFS, jails
>> over NFS (some files like /var/db/locate.database need nobody user).
>>
>>  I added vfs.nfsd.disable_nobodycheck and vfs.nfsd.disable_nogroupcheck  
>> to
>> modify NFSv4 nobody/nogroup check.
>>
>>  Thanks to Rick to tell me where the problem was.
>>
>>  Can you review the patch, and add it to kernel to avoid previous
>> mentionned issue.
>>
>>  Here is my patch:
>>
>>  --- sys/fs/nfsserver/nfs_nfsdsubs.c.orig    2014-10-14  
>> 12:03:50.163311506
>> +0200
>>  +++ sys/fs/nfsserver/nfs_nfsdsubs.c    2014-10-14 12:06:29.793304755  
>> +0200
>>  @@ -62,9 +62,18 @@
>>   SYSCTL_DECL(_vfs_nfsd);
>>
>>   static int    disable_checkutf8 = 0;
>>  +static int    disable_nobodycheck = 0;
>>  +static int    disable_nogroupcheck = 0;
>>   SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_checkutf8, CTLFLAG_RW,
>>       &disable_checkutf8, 0,
>>       "Disable the NFSv4 check for a UTF8 compliant name");
>>  +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nobodycheck, CTLFLAG_RW,
>>  +    &disable_nobodycheck, 0,
>>  +    "Disable the NFSv4 check when setting user nobody as owner");
>>  +SYSCTL_INT(_vfs_nfsd, OID_AUTO, disable_nogroupcheck, CTLFLAG_RW,
>>  +    &disable_nogroupcheck, 0,
>>  +    "Disable the NFSv4 check when setting group nogroup as owner");
>>  +
>>
>>   static char nfsrv_hexdigit(char, int *);
>>
>>  @@ -1543,8 +1552,8 @@
>>        */
>>       if (NFSVNO_NOTSETUID(nvap) && NFSVNO_NOTSETGID(nvap))
>>           goto out;
>>  -    if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid == nfsrv_defaultuid)
>>  -        || (NFSVNO_ISSETGID(nvap) && nvap->na_gid ==  
>> nfsrv_defaultgid)) {
>>  +    if ((NFSVNO_ISSETUID(nvap) && nvap->na_uid == nfsrv_defaultuid &&
>> disable_nobodycheck == 0)
>>  +        || (NFSVNO_ISSETGID(nvap) && nvap->na_gid == nfsrv_defaultgid  
>> &&
>> disable_nogroupcheck == 0)) {
>>           error = NFSERR_BADOWNER;
>>           goto out;
>>       }
>>  Regards,
>>
>>  Loïc Blot,
>>  UNIX Systems, Network and Security Engineer
>>  http://www.unix-experience.fr
>> _______________________________________________
>> freebsd-fs at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-fs
>> To unsubscribe, send any mail to "freebsd-fs-unsubscribe at freebsd.org"
>
>
>

More information about the freebsd-fs mailing list