[PATCH] libnfsidmap: respect Nobody-User/Nobody-Group

[PATCH] libnfsidmap: respect Nobody-User/Nobody-Group

[Christian Seiler]

Previous behavior of libnfsidmap was to do a name lookup of
nobody@DEFAULTDOMAIN (for both user and group), which does not match
the behavior of rpc.idmapd.

This patch makes libnfsidmap respect Nobody-User/Nobody-Group for
lookups, thus making the nfsidmap utility properly handle the case if
nobody@DEFAULTDOMAIN does not directly map to any user/group on the
system.

Signed-off-by: Christian Seiler <christian@iwakd.de>
---
 libnfsidmap.c |   48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/libnfsidmap.c b/libnfsidmap.c
index 92bc493..4903c1e 100644
--- a/libnfsidmap.c
+++ b/libnfsidmap.c
@@ -62,6 +62,8 @@ static struct conf_list *local_realms;
 int idmap_verbosity = 0;
 static struct mapping_plugin **nfs4_plugins = NULL;
 static struct mapping_plugin **gss_plugins = NULL;
+uid_t nobody_uid = (uid_t)-1;
+gid_t nobody_gid = (gid_t)-1;
 
 #ifndef PATH_PLUGINS
 #define PATH_PLUGINS "/usr/lib/libnfsidmap"
@@ -228,6 +230,7 @@ int nfs4_init_name_mapping(char *conffile)
 	int ret = -ENOENT;
 	int dflt = 0;
 	struct conf_list *nfs4_methods, *gss_methods;
+	char *nobody_user, *nobody_group;
 
 	/* XXX: need to be able to reload configurations... */
 	if (nfs4_plugins) /* already succesfully initialized */
@@ -324,6 +327,39 @@ int nfs4_init_name_mapping(char *conffile)
 		if (load_plugins(gss_methods, &gss_plugins) == -1)
 			goto out;
 	}
+
+	nobody_user = conf_get_str("Mapping", "Nobody-User");
+	if (nobody_user) {
+		size_t buflen = sysconf(_SC_GETPW_R_SIZE_MAX);
+		struct passwd *buf;
+		struct passwd *pw = NULL;
+		int err;
+
+		buf = malloc(sizeof(*buf) + buflen);
+		if (buf) {
+			err = getpwnam_r(nobody_user, buf, ((char *)buf) + sizeof(*buf), buflen, &pw);
+			if (err == 0 && pw != NULL)
+				nobody_uid = pw->pw_uid;
+			free(buf);
+		}
+	}
+
+	nobody_group = conf_get_str("Mapping", "Nobody-Group");
+	if (nobody_group) {
+		size_t buflen = sysconf(_SC_GETGR_R_SIZE_MAX);
+		struct group *buf;
+		struct group *gr = NULL;
+		int err;
+
+		buf = malloc(sizeof(*buf) + buflen);
+		if (buf) {
+			err = getgrnam_r(nobody_group, buf, ((char *)buf) + sizeof(*buf), buflen, &gr);
+			if (err == 0 && gr != NULL)
+				nobody_gid = gr->gr_gid;
+			free(buf);
+		}
+	}
+
 	ret = 0;
 out:
 	if (ret) {
@@ -453,6 +489,18 @@ static int set_id_to_nobody(int *id, int is_uid)
 	int rc = 0;
 	const char name[] = "nobody@";
 	char nobody[strlen(name) + strlen(get_default_domain()) + 1];
+
+	/* First try to see whether a Nobody-User/Nobody-Group was
+         * configured, before we try to do a full lookup for the
+         * NFS nobody user. */
+	if (is_uid && nobody_uid != (uid_t)-1) {
+		*id = (int)nobody_uid;
+		return 0;
+	} else if (!is_uid && nobody_gid != (gid_t)-1) {
+		*id = (int)nobody_gid;
+		return 0;
+	}
+
 	strcpy(nobody, name);
 	strcat(nobody, get_default_domain());
 
-- 
1.7.10.4

Re: [PATCH] libnfsidmap: respect Nobody-User/Nobody-Group

[Steve Dickson]

On 06/03/2014 07:17 AM, Christian Seiler wrote:
> Previous behavior of libnfsidmap was to do a name lookup of
> nobody@DEFAULTDOMAIN (for both user and group), which does not match
> the behavior of rpc.idmapd.
> 
> This patch makes libnfsidmap respect Nobody-User/Nobody-Group for
> lookups, thus making the nfsidmap utility properly handle the case if
> nobody@DEFAULTDOMAIN does not directly map to any user/group on the
> system.
> 
> Signed-off-by: Christian Seiler <christian@iwakd.de>
Wow... This one fell of the radar... sorry about that! 

Committed! 

steved.

> ---
>  libnfsidmap.c |   48 ++++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 48 insertions(+)
> 
> diff --git a/libnfsidmap.c b/libnfsidmap.c
> index 92bc493..4903c1e 100644
> --- a/libnfsidmap.c
> +++ b/libnfsidmap.c
> @@ -62,6 +62,8 @@ static struct conf_list *local_realms;
>  int idmap_verbosity = 0;
>  static struct mapping_plugin **nfs4_plugins = NULL;
>  static struct mapping_plugin **gss_plugins = NULL;
> +uid_t nobody_uid = (uid_t)-1;
> +gid_t nobody_gid = (gid_t)-1;
>  
>  #ifndef PATH_PLUGINS
>  #define PATH_PLUGINS "/usr/lib/libnfsidmap"
> @@ -228,6 +230,7 @@ int nfs4_init_name_mapping(char *conffile)
>  	int ret = -ENOENT;
>  	int dflt = 0;
>  	struct conf_list *nfs4_methods, *gss_methods;
> +	char *nobody_user, *nobody_group;
>  
>  	/* XXX: need to be able to reload configurations... */
>  	if (nfs4_plugins) /* already succesfully initialized */
> @@ -324,6 +327,39 @@ int nfs4_init_name_mapping(char *conffile)
>  		if (load_plugins(gss_methods, &gss_plugins) == -1)
>  			goto out;
>  	}
> +
> +	nobody_user = conf_get_str("Mapping", "Nobody-User");
> +	if (nobody_user) {
> +		size_t buflen = sysconf(_SC_GETPW_R_SIZE_MAX);
> +		struct passwd *buf;
> +		struct passwd *pw = NULL;
> +		int err;
> +
> +		buf = malloc(sizeof(*buf) + buflen);
> +		if (buf) {
> +			err = getpwnam_r(nobody_user, buf, ((char *)buf) + sizeof(*buf), buflen, &pw);
> +			if (err == 0 && pw != NULL)
> +				nobody_uid = pw->pw_uid;
> +			free(buf);
> +		}
> +	}
> +
> +	nobody_group = conf_get_str("Mapping", "Nobody-Group");
> +	if (nobody_group) {
> +		size_t buflen = sysconf(_SC_GETGR_R_SIZE_MAX);
> +		struct group *buf;
> +		struct group *gr = NULL;
> +		int err;
> +
> +		buf = malloc(sizeof(*buf) + buflen);
> +		if (buf) {
> +			err = getgrnam_r(nobody_group, buf, ((char *)buf) + sizeof(*buf), buflen, &gr);
> +			if (err == 0 && gr != NULL)
> +				nobody_gid = gr->gr_gid;
> +			free(buf);
> +		}
> +	}
> +
>  	ret = 0;
>  out:
>  	if (ret) {
> @@ -453,6 +489,18 @@ static int set_id_to_nobody(int *id, int is_uid)
>  	int rc = 0;
>  	const char name[] = "nobody@";
>  	char nobody[strlen(name) + strlen(get_default_domain()) + 1];
> +
> +	/* First try to see whether a Nobody-User/Nobody-Group was
> +         * configured, before we try to do a full lookup for the
> +         * NFS nobody user. */
> +	if (is_uid && nobody_uid != (uid_t)-1) {
> +		*id = (int)nobody_uid;
> +		return 0;
> +	} else if (!is_uid && nobody_gid != (gid_t)-1) {
> +		*id = (int)nobody_gid;
> +		return 0;
> +	}
> +
>  	strcpy(nobody, name);
>  	strcat(nobody, get_default_domain());
>  
> 

Re: [PATCH] libnfsidmap: respect Nobody-User/Nobody-Group

[Christian Seiler]

Hi,

Am 2014-08-13 18:45, schrieb Steve Dickson:
> On 06/03/2014 07:17 AM, Christian Seiler wrote:
>> Previous behavior of libnfsidmap was to do a name lookup of
>> nobody@DEFAULTDOMAIN (for both user and group), which does not match
>> the behavior of rpc.idmapd.
>>
>> This patch makes libnfsidmap respect Nobody-User/Nobody-Group for
>> lookups, thus making the nfsidmap utility properly handle the case 
>> if
>> nobody@DEFAULTDOMAIN does not directly map to any user/group on the
>> system.
>>
>> Signed-off-by: Christian Seiler <christian@iwakd.de>
> Wow... This one fell of the radar... sorry about that!

No problem. To be honest, I completely forgot about this patch
myself, because I wrote this patch when I tried to switch from
idmapd to nfsidmap, but after I had some problems with that, I
kind of switched back to idmapd, and then kind of put the whole
thing to the back of my mind.

But perhaps you can give me a couple of pointers on how to
best debug the issue I had with nfsidmap:

  - nsswitch translation for idmapping, nss_ldapd
  - nfsv4 sec=krb5 mount (mounted via autofs)
  - no krb5 ticket: ls doesn't even work (permission denied)
    (this is expected, not a bug)
  - with krb5 ticket: ls -l shows correct directory contents,
    with correct user/group ownership (translation nfs4 ->
    uid/gid via nfsidmap and then uid/gid -> local names via
    getpwnam works)
  - accessing files owned by myself but that are not group/other
    readable doesn't work (permission denied)
  - writing to files / directories on which I have write
    permission (but no other write permission) doesn't work
  - nfsv4 sec=sys mounts don't have this problem

To me this appears to be a problem that while uids/gids are
correctly mapped when getting data from the server, they are
not mapped properly when sending requests to the server, so
that it always falls back to nobody, therefore giving me
insufficient permissions.

The problem doesn't occur with rpc.idmapd (and disabled
nfsidmap).

My question would be whether there is an easy way to debug this?
I tried to have a look at the kernel nfs4 client code / the
interaction with idmap, but I just don't know enough about that
area of the kernel to really see through the logic.

> Committed!

Thanks!

Regards,
Christian

Re: [PATCH] libnfsidmap: respect Nobody-User/Nobody-Group

[Steve Dickson]

On 08/13/2014 01:45 PM, Christian Seiler wrote:
> No problem. To be honest, I completely forgot about this patch
> myself, because I wrote this patch when I tried to switch from
> idmapd to nfsidmap, but after I had some problems with that, I
> kind of switched back to idmapd, and then kind of put the whole
> thing to the back of my mind.
> 
> But perhaps you can give me a couple of pointers on how to
> best debug the issue I had with nfsidmap:
> 
>  - nsswitch translation for idmapping, nss_ldapd
I'm not sure what you are asking...

>  - nfsv4 sec=krb5 mount (mounted via autofs)
So your saying krb5 v4 mounts don't work via autofs and
its because idmapping??

>  - no krb5 ticket: ls doesn't even work (permission denied)
>    (this is expected, not a bug)
>  - with krb5 ticket: ls -l shows correct directory contents,
>    with correct user/group ownership (translation nfs4 ->
>    uid/gid via nfsidmap and then uid/gid -> local names via
>    getpwnam works)
And what's the problem?

>  - accessing files owned by myself but that are not group/other
>    readable doesn't work (permission denied)
hmm... this sound like a bug...

>  - writing to files / directories on which I have write
>    permission (but no other write permission) doesn't work
Is the execute bit on? 
>  - nfsv4 sec=sys mounts don't have this problem
> 
> To me this appears to be a problem that while uids/gids are
> correctly mapped when getting data from the server, they are
> not mapped properly when sending requests to the server, so
> that it always falls back to nobody, therefore giving me
> insufficient permissions.
> 
> The problem doesn't occur with rpc.idmapd (and disabled
> nfsidmap).
This is very odd...

> 
> My question would be whether there is an easy way to debug this?
> I tried to have a look at the kernel nfs4 client code / the
> interaction with idmap, but I just don't know enough about that
> area of the kernel to really see through the logic.

set the Verbosity = 9 in /etc/idmapd.conf the look
in /var/log/messages for the output...

steved.

Re: [PATCH] libnfsidmap: respect Nobody-User/Nobody-Group

[Benjamin Coddington]

On 13 Aug 2014, at 13:45, Christian Seiler wrote:
> My question would be whether there is an easy way to debug this?
> I tried to have a look at the kernel nfs4 client code / the
> interaction with idmap, but I just don't know enough about that
> area of the kernel to really see through the logic.

Do you have access to the server?  You can add -vvv to rpc.idmapd on the
server side to see the upcalls it services from nfsd, and see the
translations.  I don't think nfsd uses nfsidmap (yet).

Also turn up the debugging on rpc.gssd on the client (-vvv) and rpc.svcgssd
on the server - you could be having GSS problems instead of idmapping
problems.

Ben