Bug 1043558

Summary: chown does not respect NFSv4 no_root_squash
Product: Red Hat Enterprise Linux 6 Reporter: Martin Schuppert <mschuppe>
Component: nfs-utils-libAssignee: Steve Dickson <steved>
Status: CLOSED ERRATA QA Contact: JianHong Yin <jiyin>
Severity: high Docs Contact:
Priority: urgent    
Version: 6.5CC: djeffery, eguan, fs-qe, jas, jiyin, jsvarova, lherbolt, rmarigny, steved, tlavigne, ykinoshi, yoyang
Target Milestone: rcKeywords: ZStream
Target Release: 6.6   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nfs-utils-lib-1.1.5-7.el6 Doc Type: Bug Fix
Doc Text:
Previously, when the chown utility was used on NFSv4 mount, chown did not adhere the no_root_squash option, and thus was not able to change the user and group ownership of each given file. The libnfsidmap, a library to help mapping IDs mainly for NFSv4, has been patched, and chown now handles the user and group ownership as expected.
 Story Points: ---
Clone Of:
: 1093093 1106351 (view as bug list) Environment:
Last Closed: 2014-10-14 06:32:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 994246, 1093093, 1093148, 1106351, 1127166    
Attachments:
Description Flags
data_root.pcap
none
data_test.pcap none

Description Martin Schuppert 2013-12-16 16:10:53 UTC 
Created attachment 837300 [details]
data_root.pcap

Description of problem:

when chown a file on nfsv4 mount it seems to not respect NFSv4 no_root_squash option:

NFS server export:
[root@nfs ~]# cat /etc/exports
/scratch *(rw,fsid=0,async,insecure,no_root_squash)

[root@nfs ~]# exportfs -rv
exporting *:/scratch

NFS Client:
[root@client ~]# mount -t nfs  -o vers=4 nfs.example.org:/ /mnt/rhel6/

[root@client ~]# cat /proc/mounts
rootfs / rootfs rw 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
devtmpfs /dev devtmpfs rw,relatime,size=500204k,nr_inodes=125051,mode=755 0 0
devpts /dev/pts devpts rw,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /dev/shm tmpfs rw,relatime 0 0
/dev/mapper/myvg-rootvol / ext4 rw,relatime,barrier=1,data=ordered 0 0
/proc/bus/usb /proc/bus/usb usbfs rw,relatime 0 0
/dev/vda1 /boot ext3 rw,relatime,errors=continue,user_xattr,acl,barrier=1,data=ordered 0 0
none /proc/sys/fs/binfmt_misc binfmt_misc rw,relatime 0 0
sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw,relatime 0 0
nfs.example.org:/ /mnt/rhel6 nfs4 rw,relatime,vers=4,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.33.20.36,minorversion=0,local_lock=none,addr=10.33.20.128 0 0


Create a file:
[root@client ~]# touch /mnt/rhel6/testfile_root
[root@client ~]# ll /mnt/rhel6/testfile_root
-rw-r--r-- 1 root root 0 Dec 16  2013 /mnt/rhel6/testfile_root

Chown the file:
[root@client ~]# chown root:root /mnt/rhel6/testfile_root
[root@client ~]# ll /mnt/rhel6/testfile_root
-rw-r--r-- 1 nobody nobody 0 Dec 16  2013 /mnt/rhel6/testfile_root

Doing the same for a "normal" user works as expected:
[root@client ~]# su - test

Create a file:
[test@client ~]$ touch /mnt/rhel6/testfile_test
[test@client ~]$ ll /mnt/rhel6/testfile_test
-rw-rw-r-- 1 test test 0 Dec 16  2013 /mnt/rhel6/testfile_test

Chown the file:
[test@client ~]$ chown test:test /mnt/rhel6/testfile_test
[test@client ~]$ ll /mnt/rhel6/testfile_test
-rw-rw-r-- 1 test test 0 Dec 16  2013 /mnt/rhel6/testfile_test


Version-Release number of selected component (if applicable):
-RHEL 6.5
-kernel-2.6.32-431.1.2.el6.x86_64
-nfs-utils-1.2.3-39.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. cat /etc/exports 
/scratch *(rw,fsid=0,async,insecure,no_root_squash)

2. # mount -t nfs  -o vers=4 nfs.example.org:/ /mnt/rhel6/

3. # touch /mnt/rhel6/testfile_root
=> check file perms:
-rw-r--r-- 1 root root 0 Dec 16  2013 /mnt/rhel6/testfile_root

4. # chown root:root /mnt/rhel6/testfile_root
=> check file perms:
-rw-r--r-- 1 nobody nobody 0 Dec 16  2013 /mnt/rhel6/testfile_root

Actual results:
chown to root:root results in nobody:nobody

Expected results:
chown to root:root results in root:root

Additional info:
attached 
* data_root.pcap mount/touch/chown as root user
* data_test.pcap touch/chown as test user
Comment 1 Martin Schuppert 2013-12-16 16:11:32 UTC 
Created attachment 837301 [details]
data_test.pcap
Comment 3 Martin Schuppert 2013-12-16 16:29:55 UTC 
It works when setting nfs4_disable_idmapping=n

[root@client ~]# cat /etc/modprobe.d/nfs.conf 
options nfs nfs4_disable_idmapping=n


[root@client ~]# mount -t nfs  -o vers=4 nfs.example.org:/ /mnt/rhel6/
[root@client ~]# touch /mnt/rhel6/testfile_rootttt
[root@client ~]# ll /mnt/rhel6/testfile_rootttt
-rw-r--r-- 1 root root 0 Dec 16  2013 /mnt/rhel6/testfile_rootttt

[root@client ~]# chown root:root /mnt/rhel6/testfile_rootttt
[root@client ~]# ll /mnt/rhel6/testfile_rootttt
-rw-r--r-- 1 root root 0 Dec 16  2013 /mnt/rhel6/testfile_rootttt
Comment 7 Steve Dickson 2014-04-30 14:55:30 UTC 
This is the needed fix  for libnfsidmap 

diff -up ./libnfsidmap.c.orig ./libnfsidmap.c
--- ./libnfsidmap.c.orig	2014-04-30 10:19:28.000000000 -0400
+++ ./libnfsidmap.c	2014-04-30 10:49:05.000000000 -0400
@@ -99,8 +99,12 @@ static char * toupper_str(char *s)
 static int id_as_chars(char *name, int *id)
 {
 	long int value = strtol(name, NULL, 10);
-	if (value == 0)
-		return 0;
+
+	if (value == 0) {
+		/* check for zero id values */
+		if (strcmp(name, "0") != 0)
+			return 0;
+	}
 	*id = (int)value;
 	return 1;
 }
Comment 9 Steve Dickson 2014-04-30 18:23:13 UTC 
commit 3226c06989186d9cd60ba146df4e2898fee5047b
Author: Steve Dickson <steved>
Date:   Wed Apr 30 11:14:22 2014 -0400

    libnfsidmap: id_as_chars() fails zero value ids.
    
    Root has a zero value id which is valid and
    should not be mapped to nfsnobody
    
    Signed-off-by: Steve Dickson <steved>

Upstream tag: libnfsidmap-0-26-rc4
Comment 12 JianHong Yin 2014-05-04 09:24:22 UTC 
*** Bug 1072291 has been marked as a duplicate of this bug. ***
Comment 18 errata-xmlrpc 2014-10-14 06:32:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1451.html