From: "J. Bruce Fields" <bfields@fieldses.org>
To: Suresh Jayaraman <sjayaraman@suse.com>
Cc: steved@redhat.com, Trond Myklebust <Trond.Myklebust@netapp.com>,
linux-nfs@vger.kernel.org
Subject: Re: idmapd doesn't map if the name (user or group) contains UTF8 characters
Date: Thu, 13 Dec 2012 09:34:38 -0500 [thread overview]
Message-ID: <20121213143438.GA24855@fieldses.org> (raw)
In-Reply-To: <50C9AE0E.9070404@suse.com>
On Thu, Dec 13, 2012 at 03:59:34PM +0530, Suresh Jayaraman wrote:
> Hi all,
>
> While investigating a bug report from our customer where NFSv4 name to
> id mapping fails on the NFSv4 client (and maps to 'nobody') if a user or
> group name contains non-ASCII characters (in this case it was Umlaut
> characters) figured out we limit the characters to ASCII.
>
> We seem to do this intentionally in utils/idmapd/idmapd.c: imconv()
>
> ...
> case IDMAP_CONV_NAMETOID:
> if (validateascii(im->im_name, sizeof(im->im_name)) == -1) {
> im->im_status |= IDMAP_STATUS_INVALIDMSG;
> return;
> }
> ...
>
> with the validateacsii() function. I'm not sure why we had to limit the
> characters in the NFSv4 domain name to ASCII only. If I have to guess:
>
> - perhaps it is risky because the shell might expand some characters?
> - Non-ASCII characters might have trouble between sharing systems
> that may use different encodings
> - to remain consistent with the tools like `groupadd' which considers
> a name with these characters as Invalid names (not sure why
> `groupadd' does so)
>
>
> However, there seems to be a valid use case for allowing such
> characters. For e.g. If Active Directory or LDAP is being used for
> authentication, both of them seem to allow Umlaut characters. When used
> together with such directory services, idmapd would end up mapping those
> users or groups to 'nobody'.
>
> So my questions are:
>
> 1) What is the reason behind not allowing non-ASCII characters?
I don't know why it's there either. I don't think there's any reason
the kernel or other NFS code needs the check.
> 2) Is the limitation historical and is not relevant now? In such case
> can we remove this check?
> 3) Would it make sense to allow atleast some UTF-8 characters that may
> be non-risky?
I'd suggest just throwing away the check.
Even if we were to check for something else (like UTF-8, which is what
the v4 specs actually want), idmapd doesn't seem like the right place to
enforce restrictions on names. Once the system has allowed a name it's
too late to be complaining about it here.
--b.
prev parent reply other threads:[~2012-12-13 14:34 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-13 10:29 idmapd doesn't map if the name (user or group) contains UTF8 characters Suresh Jayaraman
2012-12-13 14:34 ` J. Bruce Fields [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121213143438.GA24855@fieldses.org \
--to=bfields@fieldses.org \
--cc=Trond.Myklebust@netapp.com \
--cc=linux-nfs@vger.kernel.org \
--cc=sjayaraman@suse.com \
--cc=steved@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).