Hi Trond,

thanks first for your prompt answer.

Trond Myklebust wrote:

På to , 25/03/2004 klokka 13:00, skreiv Christopher Huhn:

The clients are able to run these scripts with server kernel version 2.4.20.
Now we switched the server to 2.4.25 and get "permission denied" on 
execution.

On page 99, RFC1813 states explicitly that

   A similar problem has to do with paging in an executable
   program over the network.

The point is that I'm not talking about (ELF) executables but shell scripts!
IMHO in local semantics the shell interpreter cannot execute scripts the executor has not read permissions for (How should he without beeing setuid root?).

I made these tests with ls and a script ls.sh that simply calls ls :

    -rwxr-x--x    1 root     root        43784 Mar 18 2002 /bin/ls
    -rwxr-x--x    1 root     root           30 Mar 26 10:20 /bin/ls.sh

    nobody@client[2.4.25-gsi]# /bin/ls
    ... works ...

    nobody@client[2.4.25-gsi]# /bin/ls.sh
    /bin/ls.sh: /bin/ls.sh: Permission denied

and on the server:

    nobody@server[2.4.20]# /bin/ls
    ... works ...

    nobody@server[2.4.20]# /bin/ls.sh
    /bin/ls.sh: /bin/ls.sh: Permission denied

 To make this work, the server allows
   reading of files if the uid given in the call has either
   execute or read permission on the file.

This happens over NFS:

    root@client[2.4.25-gsi]# /nfs/mount/2.4.20/ls
    ...works ...

    root@client[2.4.25-gsi]# /nfs/mount/2.4.20/ls.sh
    ... works ...

    root@client[2.4.25-gsi]# cat /nfs/mount/2.4.20/ls.sh
    ... works (so no security improvements by setting sensitive scripts --x over nfs ) ...

*but*

    root@client[2.4.25-gsi]# /nfs/mount/2.4.25/ls
    ... works ...

    root@client[2.4.25-gsi]# /nfs/mount/2.4.25/ls.sh
    /nfs/mount/2.4.25/ls.sh: /nfs/mount/2.4.25/ls.sh: Permission denied

and to complete this:

    root@client[2.4.20]# /nfs/mount/2.4.25/ls
    ... works ...

    root@client[2.4.20]# /nfs/mount/2.4.25/ls.sh
    /nfs/mount/2.4.25/ls.sh: /nfs/mount/2.4.25/ls.sh: Permission denied

Btw: Nor ls neither ls.sh can be cat'ed in these constellations.

Again, this departs from
   correct local file system semantics.

With 2.4.25 it seems to comply with the local semantics rather than RFC1813.

So if the server is denying read access in 2.4.25, then someone must
have introduced a bug...

That's what it seems, even though I like it the way it is now :-)

These are our specs:

Vanilla kernels 2.4.20 with

    CONFIG_NFS_FS=m
    CONFIG_NFS_V3=y
    # CONFIG_ROOT_NFS is not set
    CONFIG_NFSD=y
    CONFIG_NFSD_V3=y
    # CONFIG_NFSD_TCP is not set
    # CONFIG_NCPFS_NFS_NS is not set

and 2.4.25 with

    CONFIG_NFS_FS=y
    CONFIG_NFS_V3=y
    # CONFIG_NFS_DIRECTIO is not set
    CONFIG_ROOT_NFS=y
    CONFIG_NFSD=m
    CONFIG_NFSD_V3=y
    CONFIG_NFSD_TCP=y
    # CONFIG_NCPFS_NFS_NS is not set

The exports are rw,root_squash

The mount options are rw,sync,v3,rsize=8192,wsize=8192,hard,intr,udp,lock

We are using the nfs-common and nfs-kernel-server debian packages version 1.0-2woody1.

Regards,
    Christopher