summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNiels de Vos <ndevos@redhat.com>2013-12-23 12:53:32 +0100
committerVijay Bellur <vbellur@redhat.com>2013-12-30 19:49:43 -0800
commit7e3dd526c62b3a1bb59945efdfed2c2fbbcf9cf9 (patch)
tree69088ce06313f6b03b9ff48a21eb4e0d568b8cb1
parentd85726d19432384e2c3dd6ceff4b7b4ec3f8f57a (diff)
rpc/server: add anonuid and anongid options for root-squash
Introduce new options to modify the behaviour of server.root-squash. With server.anonuid and server.anongid the uid/gid can be specified and the root user (uid=0 and gid=0) will be mapped to the given uid/gid instead of nfsnobody (uid=65534 and gid=65534). Many thanks to Vikhyat Umrao for writing the majority of the test-case! Change-Id: I6379a3d2ef52b9b9707f2f6f0529657580c8d779 BUG: 1043886 CC: Vikhyat Umrao <vumrao@redhat.com> Signed-off-by: Niels de Vos <ndevos@redhat.com> Reviewed-on: http://review.gluster.org/6546 Reviewed-by: Santosh Pradhan <spradhan@redhat.com> Reviewed-by: Vikhyat Umrao <vumrao@redhat.com> Tested-by: Gluster Build System <jenkins@build.gluster.com> Reviewed-by: Vijay Bellur <vbellur@redhat.com>
-rw-r--r--rpc/rpc-lib/src/rpcsvc-auth.c17
-rw-r--r--rpc/rpc-lib/src/rpcsvc-common.h2
-rw-r--r--rpc/rpc-lib/src/rpcsvc.h6
-rwxr-xr-xtests/bugs/bug-1043886.t55
-rw-r--r--xlators/mgmt/glusterd/src/glusterd-volume-set.c10
-rw-r--r--xlators/protocol/server/src/server.c16
6 files changed, 102 insertions, 4 deletions
diff --git a/rpc/rpc-lib/src/rpcsvc-auth.c b/rpc/rpc-lib/src/rpcsvc-auth.c
index 4cb86a75839..0ede19f741b 100644
--- a/rpc/rpc-lib/src/rpcsvc-auth.c
+++ b/rpc/rpc-lib/src/rpcsvc-auth.c
@@ -230,6 +230,8 @@ int
rpcsvc_set_root_squash (rpcsvc_t *svc, dict_t *options)
{
int ret = -1;
+ uid_t anonuid = -1;
+ gid_t anongid = -1;
GF_ASSERT (svc);
GF_ASSERT (options);
@@ -240,8 +242,21 @@ rpcsvc_set_root_squash (rpcsvc_t *svc, dict_t *options)
else
svc->root_squash = _gf_false;
+ ret = dict_get_uint32 (options, "anonuid", &anonuid);
+ if (!ret)
+ svc->anonuid = anonuid;
+ else
+ svc->anonuid = RPC_NOBODY_UID;
+
+ ret = dict_get_uint32 (options, "anongid", &anongid);
+ if (!ret)
+ svc->anongid = anongid;
+ else
+ svc->anongid = RPC_NOBODY_GID;
+
if (svc->root_squash)
- gf_log (GF_RPCSVC, GF_LOG_DEBUG, "root squashing enabled ");
+ gf_log (GF_RPCSVC, GF_LOG_DEBUG, "root squashing enabled "
+ "(uid=%d, gid=%d)", svc->anonuid, svc->anongid);
return 0;
}
diff --git a/rpc/rpc-lib/src/rpcsvc-common.h b/rpc/rpc-lib/src/rpcsvc-common.h
index aed55e039e1..3c16abeb77a 100644
--- a/rpc/rpc-lib/src/rpcsvc-common.h
+++ b/rpc/rpc-lib/src/rpcsvc-common.h
@@ -55,6 +55,8 @@ typedef struct rpcsvc_state {
gf_boolean_t allow_insecure;
gf_boolean_t register_portmap;
gf_boolean_t root_squash;
+ uid_t anonuid;
+ gid_t anongid;
glusterfs_ctx_t *ctx;
/* list of connections which will listen for incoming connections */
diff --git a/rpc/rpc-lib/src/rpcsvc.h b/rpc/rpc-lib/src/rpcsvc.h
index cbc1f4226b8..28ec93e11a5 100644
--- a/rpc/rpc-lib/src/rpcsvc.h
+++ b/rpc/rpc-lib/src/rpcsvc.h
@@ -282,14 +282,14 @@ struct rpcsvc_request {
int gidcount = 0; \
if (req->svc->root_squash) { \
if (req->uid == RPC_ROOT_UID) \
- req->uid = RPC_NOBODY_UID; \
+ req->uid = req->svc->anonuid; \
if (req->gid == RPC_ROOT_GID) \
- req->gid = RPC_NOBODY_GID; \
+ req->gid = req->svc->anongid; \
for (gidcount = 0; gidcount < req->auxgidcount; \
++gidcount) { \
if (!req->auxgids[gidcount]) \
req->auxgids[gidcount] = \
- RPC_NOBODY_GID; \
+ req->svc->anongid; \
} \
} \
} while (0);
diff --git a/tests/bugs/bug-1043886.t b/tests/bugs/bug-1043886.t
new file mode 100755
index 00000000000..fb7ecb194d1
--- /dev/null
+++ b/tests/bugs/bug-1043886.t
@@ -0,0 +1,55 @@
+#!/bin/bash
+
+. $(dirname $0)/../include.rc
+. $(dirname $0)/../nfs.rc
+
+cleanup;
+
+TEST glusterd
+TEST pidof glusterd
+TEST $CLI volume create $V0 replica 2 $H0:$B0/${V0}{1,2};
+TEST $CLI volume start $V0
+
+sleep 2;
+## Mount FUSE with caching disabled
+TEST glusterfs --entry-timeout=0 --attribute-timeout=0 -s $H0 --volfile-id $V0 $M0;
+
+EXPECT_WITHIN 20 "1" is_nfs_export_available;
+
+## Mount volume as NFS export
+TEST mount -t nfs -o vers=3,nolock $H0:/$V0 $N0;
+
+# just a random uid/gid
+uid=22162
+gid=5845
+
+mkdir $N0/other;
+chown $uid:$gid $N0/other;
+
+TEST $CLI volume set $V0 server.root-squash on;
+TEST $CLI volume set $V0 server.anonuid $uid;
+TEST $CLI volume set $V0 server.anongid $gid;
+
+sleep 2;
+
+EXPECT_WITHIN 20 "1" is_nfs_export_available;
+
+# create files and directories in the root of the glusterfs and nfs mount
+# which is owned by root and hence the right behavior is getting EACCESS
+# as the fops are executed as nfsnobody.
+touch $M0/file 2>/dev/null;
+TEST [ $? -ne 0 ]
+mkdir $M0/dir 2>/dev/null;
+TEST [ $? -ne 0 ]
+
+# Here files and directories should be getting created as other directory is owned
+# by tmp_user as server.anonuid and server.anongid have the value of tmp_user uid and gid
+TEST touch $M0/other/file 2>/dev/null;
+TEST [ "$(stat -c %u:%g $N0/other/file)" = "$uid:$gid" ];
+TEST mkdir $M0/other/dir 2>/dev/null;
+TEST [ "$(stat -c %u:%g $N0/other/dir)" = "$uid:$gid" ];
+
+TEST $CLI volume stop $V0;
+TEST $CLI volume delete $V0;
+
+cleanup;
diff --git a/xlators/mgmt/glusterd/src/glusterd-volume-set.c b/xlators/mgmt/glusterd/src/glusterd-volume-set.c
index 131f96ce667..b1989567a4d 100644
--- a/xlators/mgmt/glusterd/src/glusterd-volume-set.c
+++ b/xlators/mgmt/glusterd/src/glusterd-volume-set.c
@@ -831,6 +831,16 @@ struct volopt_map_entry glusterd_volopt_map[] = {
.option = "root-squash",
.op_version = 2
},
+ { .key = "server.anonuid",
+ .voltype = "protocol/server",
+ .option = "anonuid",
+ .op_version = 3
+ },
+ { .key = "server.anongid",
+ .voltype = "protocol/server",
+ .option = "anongid",
+ .op_version = 3
+ },
{ .key = "server.statedump-path",
.voltype = "protocol/server",
.option = "statedump-path",
diff --git a/xlators/protocol/server/src/server.c b/xlators/protocol/server/src/server.c
index 3720372f9e3..a797a0d6cb1 100644
--- a/xlators/protocol/server/src/server.c
+++ b/xlators/protocol/server/src/server.c
@@ -1057,6 +1057,22 @@ struct volume_options options[] = {
"uids or gids that might be equally sensitive, such "
"as user bin or group staff."
},
+ { .key = {"anonuid"},
+ .type = GF_OPTION_TYPE_INT,
+ .default_value = "65534", /* RPC_NOBODY_UID */
+ .min = 0,
+ .max = (uint32_t) -1,
+ .description = "value of the uid used for the anonymous "
+ "user/nfsnobody when root-squash is enabled."
+ },
+ { .key = {"anongid"},
+ .type = GF_OPTION_TYPE_INT,
+ .default_value = "65534", /* RPC_NOBODY_GID */
+ .min = 0,
+ .max = (uint32_t) -1,
+ .description = "value of the gid used for the anonymous "
+ "user/nfsnobody when root-squash is enabled."
+ },
{ .key = {"statedump-path"},
.type = GF_OPTION_TYPE_PATH,
.default_value = DEFAULT_VAR_RUN_DIRECTORY,