From cjk32@cam.ac.uk  Sat Jun 19 15:23:50 2010
Return-Path: <cjk32@cam.ac.uk>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id DFCDE106566C
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 19 Jun 2010 15:23:50 +0000 (UTC)
	(envelope-from cjk32@cam.ac.uk)
Received: from chacal.cjkey.org.uk (chacal.cjkey.org.uk [88.97.163.217])
	by mx1.freebsd.org (Postfix) with ESMTP id F41BF8FC0A
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 19 Jun 2010 15:23:49 +0000 (UTC)
Received: from chacal.wzl33 (localhost [127.0.0.1])
	by chacal.cjkey.org.uk (8.14.3/8.14.3) with ESMTP id o5JFNl70001599
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 19 Jun 2010 16:23:47 +0100 (BST)
	(envelope-from chris@chacal.wzl33)
Received: (from chris@localhost)
	by chacal.wzl33 (8.14.3/8.14.3/Submit) id o5JFNlxr001598;
	Sat, 19 Jun 2010 16:23:47 +0100 (BST)
	(envelope-from chris)
Message-Id: <201006191523.o5JFNlxr001598@chacal.wzl33>
Date: Sat, 19 Jun 2010 16:23:47 +0100 (BST)
From: Christopher Key <cjk32@cam.ac.uk>
Reply-To: Christopher Key <cjk32@cam.ac.uk>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: NFS -mapall group permissions ignored when -network is specified
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         147998
>Category:       kern
>Synopsis:       [nfs] [patch] NFS -mapall group permissions ignored when -network is specified
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun 19 15:30:02 UTC 2010
>Closed-Date:    Fri Dec 28 14:08:42 UTC 2012
>Last-Modified:  Fri Dec 28 14:10:00 UTC 2012
>Originator:     Christopher Key
>Release:        FreeBSD 8.0-RELEASE-p2 amd64
>Organization:
>Environment:
System: FreeBSD chacal.wzl33 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #2: Sat Jun 19 15:45:05 BST 2010 root@chacal.wzl33:/usr/obj/usr/src/sys/CHACAL amd64


	
>Description:
When -network (or any host restriction probably) is added to an nfs exports line, any group privileges for -mapall (and -maproot probably) get ignored.

     
>How-To-Repeat:
Outline steps, not actually tested.

mkdir /exports/dir
touch /exports/dir/file

chown u1:g1 /exports/dir /exports/dir/file
chmod 750 /exports/dir
chmod 640 /exports/dir/file

echo "/exports/dir -ro -mapall nobody:g1" > /etc/exports
kill -s HUP $(cat /var/run/mountd.pid)
# Can access /exports/dir/file via NFS

echo "/exports/dir -ro -mapall nobody:g1 --network 192.168.2.0/24" > /etc/exports
kill -s HUP $(cat /var/run/mountd.pid)
# Can't access /exports/dir/file via NFS


Further details in,
http://forums.freebsd.org/showthread.php?t=14493

	
>Fix:

	

--- vfs_export.c.patch begins here ---
Index: sys/kern/vfs_export.c
===================================================================
--- sys/kern/vfs_export.c	(revision 209341)
+++ sys/kern/vfs_export.c	(working copy)
@@ -208,7 +208,7 @@
 	np->netc_anon = crget();
 	np->netc_anon->cr_uid = argp->ex_anon.cr_uid;
 	crsetgroups(np->netc_anon, argp->ex_anon.cr_ngroups,
-	    np->netc_anon->cr_groups);
+	    argp->ex_anon.cr_groups);
 	np->netc_anon->cr_prison = &prison0;
 	prison_hold(np->netc_anon->cr_prison);
 	np->netc_numsecflavors = argp->ex_numsecflavors;
--- vfs_export.c.patch ends here ---


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: rmacklem 
State-Changed-When: Fri Dec 14 21:57:54 UTC 2012 
State-Changed-Why:  

I have committed the patch to head and will close this PR 
when it is MFC'd. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=147998 
State-Changed-From-To: feedback->closed 
State-Changed-By: rmacklem 
State-Changed-When: Fri Dec 28 14:07:55 UTC 2012 
State-Changed-Why:  

The patch in the PR has been MFC'd. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=147998 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/147998: commit references a PR
Date: Fri, 28 Dec 2012 14:06:56 +0000 (UTC)

 Author: rmacklem
 Date: Fri Dec 28 14:06:49 2012
 New Revision: 244772
 URL: http://svnweb.freebsd.org/changeset/base/244772
 
 Log:
   MFC: r244226
   The group list for a non-default export entry (a host/subnet one)
   was being copied from the wrong place. This patch fixes that.
   This could cause access failures for mapped users, when the group
   permissions were needed.
   
   PR:		147998
   Submitted by:	Christopher Key (cjk32@cam.ac.uk)
 
 Modified:
   stable/9/sys/kern/vfs_export.c
 Directory Properties:
   stable/9/sys/   (props changed)
 
 Modified: stable/9/sys/kern/vfs_export.c
 ==============================================================================
 --- stable/9/sys/kern/vfs_export.c	Fri Dec 28 10:58:03 2012	(r244771)
 +++ stable/9/sys/kern/vfs_export.c	Fri Dec 28 14:06:49 2012	(r244772)
 @@ -208,7 +208,7 @@ vfs_hang_addrlist(struct mount *mp, stru
  	np->netc_anon = crget();
  	np->netc_anon->cr_uid = argp->ex_anon.cr_uid;
  	crsetgroups(np->netc_anon, argp->ex_anon.cr_ngroups,
 -	    np->netc_anon->cr_groups);
 +	    argp->ex_anon.cr_groups);
  	np->netc_anon->cr_prison = &prison0;
  	prison_hold(np->netc_anon->cr_prison);
  	np->netc_numsecflavors = argp->ex_numsecflavors;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
