Bug 1532688

Summary: Varying ro/rw in NFS export based on security flavor doesn't work
Product: Red Hat Enterprise Linux 7 Reporter: Tamas Vincze <tom>
Component: nfs-utilsAssignee: Steve Dickson <steved>
Status: CLOSED ERRATA QA Contact: Yongcheng Yang <yoyang>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.4CC: ajmitchell, jiyin, rhandlin, xzhou, yoyang
Target Milestone: rcKeywords: Reproducer
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nfs-utils-1.3.0-0.56.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 11:48:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tamas Vincze 2018-01-09 15:24:40 UTC 
The exports man page says that one can vary ro/rw based on security flavor by including multiple sec= options in /etc/exports, but it seems to be broken in nfs-utils-1.3.0-0.48.el7_4.

For example this /etc/exports:

/export/pub 10.13.0.0/16(sec=sys,ro,sec=krb5i:krb5p,rw)

results in this /var/lib/nfs/etab:

/export/pub 10.13.0.0/16(rw,sync,wdelay,hide,nocrossmnt,secure,root_squash,no_all_squash,no_subtree_check,secure_locks,acl,no_pnfs,anonuid=65534,anongid=65534,sec=sys,secure,root_squash,no_all_squash,sec=krb5i:krb5p,secure,root_squash,no_all_squash)

Only the rw option is present in etab, that applies to both sec=sys and sec=krb5i:krb5p.

This is a possible security hazard as the share is writable by anyone.
Comment 2 Yongcheng Yang 2018-01-10 04:05:04 UTC 
Reproduce it with latest nfs-utils version of rhel7:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[root@rhel7 ~]# rpm -q nfs-utils
nfs-utils-1.3.0-0.53.el7.x86_64
[root@rhel7 ~]# cat /etc/exports
/export_rhel7 127.0.0.1(sec=sys,ro,all_squash,sec=krb5,no_all_squash,sec=krb5i,rw,root_squash,sec=krb5p,rw,no_root_squash)
[root@rhel7 ~]# systemctl restart nfs
[root@rhel7 ~]# exportfs -s
/export_rhel7  127.0.0.1(rw,sync,wdelay,hide,no_subtree_check,sec=sys,secure,root_squash,all_squash,sec=krb5:krb5i,secure,root_squash,no_all_squash,sec=krb5p,secure,no_root_squash,no_all_squash)
[root@rhel7 ~]# exportfs -s 2>/dev/null | sed 's/sec=/\nsec=/g'
/export_rhel7  127.0.0.1(rw,sync,wdelay,hide,no_subtree_check,
sec=sys,secure,root_squash,all_squash,            <<<<<<<<<<<<
sec=krb5:krb5i,secure,root_squash,no_all_squash,  <<<<<<<<<<<<
sec=krb5p,secure,no_root_squash,no_all_squash)    <<<<<<<<<<<<
[root@rhel7 ~]# 

Compared with fedora-26 which has the same problem:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[root@fedora26 ~]# rpm -q nfs-utils
nfs-utils-2.2.1-3.rc2.fc26.x86_64
[root@fedora26 ~]# cat /etc/exports
/export_fedora 127.0.0.1(sec=sys,ro,all_squash,sec=krb5,no_all_squash,sec=krb5i,rw,root_squash,sec=krb5p,rw,no_root_squash)
[root@fedora26 ~]# systemctl restart nfs
[root@fedora26 ~]# exportfs -v
/export_fedora  127.0.0.1(rw,sync,wdelay,hide,no_subtree_check,sec=sys,secure,root_squash,all_squash,sec=krb5:krb5i,secure,root_squash,no_all_squash,sec=krb5p,secure,no_root_squash,no_all_squash)
[root@fedora26 ~]# exportfs -v 2>/dev/null | sed 's/sec=/\nsec=/g'
/export_fedora  127.0.0.1(rw,sync,wdelay,hide,no_subtree_check,
sec=sys,secure,root_squash,all_squash,            <<<<<<<<<<<<
sec=krb5:krb5i,secure,root_squash,no_all_squash,  <<<<<<<<<<<<
sec=krb5p,secure,no_root_squash,no_all_squash)    <<<<<<<<<<<<
[root@fedora26 ~]# 

Looks like it acts correct in RHEL 6:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[root@rhel6 ~]# rpm -q nfs-utils
nfs-utils-1.2.3-75.el6.x86_64
[root@rhel6 ~]# cat /etc/exports 
/export_test 127.0.0.1(sec=sys,ro,all_squash,sec=krb5,no_all_squash,sec=krb5i,rw,root_squash,sec=krb5p,rw,no_root_squash)
[root@rhel6 ~]# service nfs restart
Shutting down NFS daemon: [  OK  ]
Shutting down NFS mountd: [  OK  ]
Shutting down NFS quotas: [  OK  ]
Shutting down NFS services:  [  OK  ]
Shutting down RPC idmapd: [  OK  ]
Starting NFS services:  [  OK  ]
Starting NFS quotas: [  OK  ]
Starting NFS mountd: [  OK  ]
Starting NFS daemon: [  OK  ]
Starting RPC idmapd: [  OK  ]
[root@rhel6 ~]# exportfs -v
/export_test    127.0.0.1(rw,wdelay,no_root_squash,no_subtree_check,sec=sys,ro,root_squash,all_squash,sec=krb5,ro,root_squash,no_all_squash,sec=krb5i,rw,root_squash,no_all_squash,sec=krb5p,rw,no_root_squash,no_all_squash)
[root@rhel6 ~]# exportfs -v 2>/dev/null | sed 's/sec=/\nsec=/g'
/export_test    127.0.0.1(rw,wdelay,no_root_squash,no_subtree_check,
sec=sys,ro,root_squash,all_squash,             <<<<<<<<<<<<<<<<<<
sec=krb5,ro,root_squash,no_all_squash,         <<<<<<<<<<<<<<<<<<
sec=krb5i,rw,root_squash,no_all_squash,        <<<<<<<<<<<<<<<<<<
sec=krb5p,rw,no_root_squash,no_all_squash)     <<<<<<<<<<<<<<<<<<
[root@rhel6 ~]#
Comment 3 Alice Mitchell 2018-01-11 18:04:42 UTC 
Caused by http://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commitdiff;h=37c07fa0b74a29dea18d359068e9189c5159c49d

which attempted to squash duplicated options in the exports output, but alas it is too naive and does not know that both rw and ro can validly appear in the same options string, as in this case.
Comment 4 Yongcheng Yang 2018-01-12 02:42:24 UTC 
(In reply to Justin Mitchell from comment #3)
> Caused by
> http://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commitdiff;
> h=37c07fa0b74a29dea18d359068e9189c5159c49d

Thanks for the investigation.

This issue is introduced into RHEL-7.4 via Bug 1396402 (adding "see also").
Comment 5 JianHong Yin 2018-01-12 07:23:57 UTC 
upstream patch:
 https://patchwork.kernel.org/patch/10159615/
Comment 7 Yongcheng Yang 2018-07-24 11:17:21 UTC 
Verified in nfs-utils-1.3.0-0.57.el7
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://beaker.engineering.redhat.com/recipes/5410558#task75906498
------------------------------------------------------------------
[07:28:56 root@ ~~]# echo '/expdir-exportfs *(sec=sys,ro,all_squash,sec=krb5,no_all_squash,sec=krb5i,rw,root_squash,sec=krb5p,rw,no_root_squash)' > /etc/exports
[07:28:56 root@ ~~]# service_nfs restart
Redirecting to /bin/systemctl restart nfs.service
[07:28:56 root@ ~~]# exportfs -v
/expdir-exportfs
		<world>(sync,wdelay,hide,no_subtree_check,sec=sys,ro,secure,root_squash,all_squash,sec=krb5,ro,secure,root_squash,no_all_squash,sec=krb5i,rw,secure,root_squash,no_all_squash,sec=krb5p,rw,secure,no_root_squash,no_all_squash)
[07:28:56 root@ ~~]# exportfs -v 2>/dev/null | sed 's/sec=/\nsec=/g'
/expdir-exportfs
		<world>(sync,wdelay,hide,no_subtree_check,
sec=sys,ro,secure,root_squash,all_squash,
        ^^^
sec=krb5,ro,secure,root_squash,no_all_squash,
         ^^^
sec=krb5i,rw,secure,root_squash,no_all_squash,
          ^^^
sec=krb5p,rw,secure,no_root_squash,no_all_squash)
          ^^^

Compared with previous nfs-utils-1.3.0-0.55.el7
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://beaker.engineering.redhat.com/recipes/5311085#task74348293
------------------------------------------------------------------
[18:12:17 root@ ~~]# exportfs -v
/expdir-exportfs
		<world>(rw,sync,wdelay,hide,no_subtree_check,sec=sys,secure,root_squash,all_squash,sec=krb5:krb5i,secure,root_squash,no_all_squash,sec=krb5p,secure,no_root_squash,no_all_squash)
[18:12:17 root@ ~~]# exportfs -v 2>/dev/null | sed 's/sec=/\nsec=/g'
/expdir-exportfs
		<world>(rw,sync,wdelay,hide,no_subtree_check,
sec=sys,secure,root_squash,all_squash,
sec=krb5:krb5i,secure,root_squash,no_all_squash,
sec=krb5p,secure,no_root_squash,no_all_squash)
Comment 9 errata-xmlrpc 2018-10-30 11:48:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3311