diff options
| -rw-r--r-- | rpc/rpc-lib/src/rpcsvc-auth.c | 17 | ||||
| -rw-r--r-- | rpc/rpc-lib/src/rpcsvc-common.h | 2 | ||||
| -rw-r--r-- | rpc/rpc-lib/src/rpcsvc.h | 6 | ||||
| -rwxr-xr-x | tests/bugs/bug-1043886.t | 55 | ||||
| -rw-r--r-- | xlators/mgmt/glusterd/src/glusterd-volume-set.c | 10 | ||||
| -rw-r--r-- | xlators/protocol/server/src/server.c | 16 |
6 files changed, 102 insertions, 4 deletions
diff --git a/rpc/rpc-lib/src/rpcsvc-auth.c b/rpc/rpc-lib/src/rpcsvc-auth.c index 4cb86a75839..0ede19f741b 100644 --- a/rpc/rpc-lib/src/rpcsvc-auth.c +++ b/rpc/rpc-lib/src/rpcsvc-auth.c @@ -230,6 +230,8 @@ int rpcsvc_set_root_squash (rpcsvc_t *svc, dict_t *options) { int ret = -1; + uid_t anonuid = -1; + gid_t anongid = -1; GF_ASSERT (svc); GF_ASSERT (options); @@ -240,8 +242,21 @@ rpcsvc_set_root_squash (rpcsvc_t *svc, dict_t *options) else svc->root_squash = _gf_false; + ret = dict_get_uint32 (options, "anonuid", &anonuid); + if (!ret) + svc->anonuid = anonuid; + else + svc->anonuid = RPC_NOBODY_UID; + + ret = dict_get_uint32 (options, "anongid", &anongid); + if (!ret) + svc->anongid = anongid; + else + svc->anongid = RPC_NOBODY_GID; + if (svc->root_squash) - gf_log (GF_RPCSVC, GF_LOG_DEBUG, "root squashing enabled "); + gf_log (GF_RPCSVC, GF_LOG_DEBUG, "root squashing enabled " + "(uid=%d, gid=%d)", svc->anonuid, svc->anongid); return 0; } diff --git a/rpc/rpc-lib/src/rpcsvc-common.h b/rpc/rpc-lib/src/rpcsvc-common.h index aed55e039e1..3c16abeb77a 100644 --- a/rpc/rpc-lib/src/rpcsvc-common.h +++ b/rpc/rpc-lib/src/rpcsvc-common.h @@ -55,6 +55,8 @@ typedef struct rpcsvc_state { gf_boolean_t allow_insecure; gf_boolean_t register_portmap; gf_boolean_t root_squash; + uid_t anonuid; + gid_t anongid; glusterfs_ctx_t *ctx; /* list of connections which will listen for incoming connections */ diff --git a/rpc/rpc-lib/src/rpcsvc.h b/rpc/rpc-lib/src/rpcsvc.h index cbc1f4226b8..28ec93e11a5 100644 --- a/rpc/rpc-lib/src/rpcsvc.h +++ b/rpc/rpc-lib/src/rpcsvc.h @@ -282,14 +282,14 @@ struct rpcsvc_request { int gidcount = 0; \ if (req->svc->root_squash) { \ if (req->uid == RPC_ROOT_UID) \ - req->uid = RPC_NOBODY_UID; \ + req->uid = req->svc->anonuid; \ if (req->gid == RPC_ROOT_GID) \ - req->gid = RPC_NOBODY_GID; \ + req->gid = req->svc->anongid; \ for (gidcount = 0; gidcount < req->auxgidcount; \ ++gidcount) { \ if (!req->auxgids[gidcount]) \ req->auxgids[gidcount] = \ - RPC_NOBODY_GID; \ + req->svc->anongid; \ } \ } \ } while (0); diff --git a/tests/bugs/bug-1043886.t b/tests/bugs/bug-1043886.t new file mode 100755 index 00000000000..fb7ecb194d1 --- /dev/null +++ b/tests/bugs/bug-1043886.t @@ -0,0 +1,55 @@ +#!/bin/bash + +. $(dirname $0)/../include.rc +. $(dirname $0)/../nfs.rc + +cleanup; + +TEST glusterd +TEST pidof glusterd +TEST $CLI volume create $V0 replica 2 $H0:$B0/${V0}{1,2}; +TEST $CLI volume start $V0 + +sleep 2; +## Mount FUSE with caching disabled +TEST glusterfs --entry-timeout=0 --attribute-timeout=0 -s $H0 --volfile-id $V0 $M0; + +EXPECT_WITHIN 20 "1" is_nfs_export_available; + +## Mount volume as NFS export +TEST mount -t nfs -o vers=3,nolock $H0:/$V0 $N0; + +# just a random uid/gid +uid=22162 +gid=5845 + +mkdir $N0/other; +chown $uid:$gid $N0/other; + +TEST $CLI volume set $V0 server.root-squash on; +TEST $CLI volume set $V0 server.anonuid $uid; +TEST $CLI volume set $V0 server.anongid $gid; + +sleep 2; + +EXPECT_WITHIN 20 "1" is_nfs_export_available; + +# create files and directories in the root of the glusterfs and nfs mount +# which is owned by root and hence the right behavior is getting EACCESS +# as the fops are executed as nfsnobody. +touch $M0/file 2>/dev/null; +TEST [ $? -ne 0 ] +mkdir $M0/dir 2>/dev/null; +TEST [ $? -ne 0 ] + +# Here files and directories should be getting created as other directory is owned +# by tmp_user as server.anonuid and server.anongid have the value of tmp_user uid and gid +TEST touch $M0/other/file 2>/dev/null; +TEST [ "$(stat -c %u:%g $N0/other/file)" = "$uid:$gid" ]; +TEST mkdir $M0/other/dir 2>/dev/null; +TEST [ "$(stat -c %u:%g $N0/other/dir)" = "$uid:$gid" ]; + +TEST $CLI volume stop $V0; +TEST $CLI volume delete $V0; + +cleanup; diff --git a/xlators/mgmt/glusterd/src/glusterd-volume-set.c b/xlators/mgmt/glusterd/src/glusterd-volume-set.c index 131f96ce667..b1989567a4d 100644 --- a/xlators/mgmt/glusterd/src/glusterd-volume-set.c +++ b/xlators/mgmt/glusterd/src/glusterd-volume-set.c @@ -831,6 +831,16 @@ struct volopt_map_entry glusterd_volopt_map[] = { .option = "root-squash", .op_version = 2 }, + { .key = "server.anonuid", + .voltype = "protocol/server", + .option = "anonuid", + .op_version = 3 + }, + { .key = "server.anongid", + .voltype = "protocol/server", + .option = "anongid", + .op_version = 3 + }, { .key = "server.statedump-path", .voltype = "protocol/server", .option = "statedump-path", diff --git a/xlators/protocol/server/src/server.c b/xlators/protocol/server/src/server.c index 3720372f9e3..a797a0d6cb1 100644 --- a/xlators/protocol/server/src/server.c +++ b/xlators/protocol/server/src/server.c @@ -1057,6 +1057,22 @@ struct volume_options options[] = { "uids or gids that might be equally sensitive, such " "as user bin or group staff." }, + { .key = {"anonuid"}, + .type = GF_OPTION_TYPE_INT, + .default_value = "65534", /* RPC_NOBODY_UID */ + .min = 0, + .max = (uint32_t) -1, + .description = "value of the uid used for the anonymous " + "user/nfsnobody when root-squash is enabled." + }, + { .key = {"anongid"}, + .type = GF_OPTION_TYPE_INT, + .default_value = "65534", /* RPC_NOBODY_GID */ + .min = 0, + .max = (uint32_t) -1, + .description = "value of the gid used for the anonymous " + "user/nfsnobody when root-squash is enabled." + }, { .key = {"statedump-path"}, .type = GF_OPTION_TYPE_PATH, .default_value = DEFAULT_VAR_RUN_DIRECTORY, |