[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#783212: nfs-kernel-server: exportfs fails to set rw, ro, [no_]root_squash or [no_]squash_all flags in some cases

Package: nfs-kernel-server
Version: 1:1.2.8-9
Severity: important
Tags: fixed-upstream
Control: merge -1 709403

Dear Maintainer,

after upgrading from version 1:1.2.6-4 several exports on my server lost
their no_root_squash flag, causing "Permission denied" errors on the
corresponding clients when using root.

After some testing and debugging I came to the following conclusion:
Commit 11ba3b1e01b67b7d19f26fba94fabdb60878e809 (Add a default flavor to
an export's e_secinfo list) breaks export option parsing by exportfs in
some cases.
Upstream commit 7004991526be90ec2647d28c503936dc91bc9100 (exportfs: Fix
the default authentication flavour setting) fixes the bug as a side
effect of dealing with another problem sharing the same root cause.

The easiest workaround is to add a sec=xyz option at the beginning of
all export option strings.


My test configuration is as follows:

 -- /etc/exports --
/srv/nfs4	-fsid=0,async,no_subtree_check,insecure,all_squash 10.0.0.2 10.0.0.3(secure,rw,no_root_squash,no_all_squash)

exportfs -v output from version 1:1.2.8-9:
/srv/nfs4       10.0.0.2(ro,async,wdelay,insecure,root_squash,all_squash,no_subtree_check,fsid=0,sec=sys,ro,root_squash,all_squash)
/srv/nfs4       10.0.0.3(ro,async,wdelay,root_squash,all_squash,no_subtree_check,fsid=0,sec=sys,ro,root_squash,all_squash)

but /var/lib/nfs/etab shows
/srv/nfs4       10.0.0.2(ro,async,wdelay,hide,nocrossmnt,insecure,root_squash,all_squash,no_subtree_check,secure_locks,acl,fsid=0,anonuid=65534,anongid=65534,sec=sys,ro,root_squash,all_squash)
/srv/nfs4       10.0.0.3(rw,async,wdelay,hide,nocrossmnt,secure,no_root_squash,no_all_squash,no_subtree_check,secure_locks,acl,fsid=0,anonuid=65534,anongid=65534,sec=sys,ro,root_squash,all_squash)
         	         ^                                      ^              ^                                                                                          ^  ^           ^
meaning exportfs -a|-r produces an inconsistent etab line. Consequently
rw, no_root_squash and no_all_squash get dropped by exportfs -v and
mountd (last save wins). This happens under following conditions:

(1) A default option specification is present on the export line.
(2) The export line contains an export with rw, ro, [no_]root_squash or
    [no_]squash_all options different from the implied or declared
    default options
(3) The option string for this export doesn't contain a sec=xyz
    option preceding the options named in (2).

The underlying bug is in function parseopts at ./support/nfs/exports.c:646:
A default security flavor containing duplicates of the specified default
values for the READONLY, ROOTSQUASH and ALLSQUASH flags is added to the
default options. This default flavor is erroneously reused for all exports
on the same line in spite of containing flags that can be altered by export
specifications. This results in possibly incorrect options at the end of
the export specifications in the etab file. The bug fix is to generate a
default security flavor seperately for each export that doesn't already have
one. This is in effect what upstream commit
7004991526be90ec2647d28c503936dc91bc9100 does by deferring the generation
of default security flavors as long as possible.

I have patched version 1:1.2.8-9 with upstream commit
7004991526be90ec2647d28c503936dc91bc9100 and it works as expected:

exportfs -v output from version 1:1.2.8-9.1:
/srv/nfs4       10.0.0.2(ro,async,wdelay,insecure,root_squash,all_squash,no_subtree_check,fsid=0,sec=sys,ro,root_squash,all_squash)
/srv/nfs4       10.0.0.3(rw,async,wdelay,no_root_squash,no_subtree_check,fsid=0,sec=sys,rw,no_root_squash,no_all_squash)

/var/lib/nfs/etab after exportfs -r (version 1:1.2.8-9.1):
/srv/nfs4       10.0.0.2(ro,async,wdelay,hide,nocrossmnt,insecure,root_squash,all_squash,no_subtree_check,secure_locks,acl,fsid=0,anonuid=65534,anongid=65534,sec=sys,ro,root_squash,all_squash)
/srv/nfs4       10.0.0.3(rw,async,wdelay,hide,nocrossmnt,secure,no_root_squash,no_all_squash,no_subtree_check,secure_locks,acl,fsid=0,anonuid=65534,anongid=65534,sec=sys,rw,no_root_squash,no_all_squash)


I have set the severity to important in order to be able to merge bug
#709403, which looks like an instance of the same bug to me. If this
doesn't seem appropriate please adjust as you see fit.

Regards,
  Martin B


-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (900, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.19.3-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages nfs-kernel-server depends on:
ii  libblkid1     2.25.2-6
ii  libc6         2.19-18
ii  libcap2       1:2.24-8
ii  libsqlite3-0  3.8.7.4-1
ii  libtirpc1     0.2.5-1
ii  libwrap0      7.6.q-25
ii  lsb-base      4.1+Debian13+nmu1
ii  nfs-common    1:1.2.8-9
ii  ucf           3.0030

nfs-kernel-server recommends no packages.

nfs-kernel-server suggests no packages.

-- no debconf information
Reply to: