Bug 2187641 - [virtiofs] FUSE supplementary group extension support
Summary: [virtiofs] FUSE supplementary group extension support
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: virtiofsd
Version: 9.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: German Maglione
QA Contact: xiagao
URL:
Whiteboard:
Depends On: 2222221
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-04-18 09:43 UTC by German Maglione
Modified: 2023-07-28 10:12 UTC (History)
4 users (show)

Fixed In Version: virtiofsd-1.7.0-1.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Gitlab virtio-fs virtiofsd issues 59 0 None opened supplementary group support 2023-04-18 09:45:02 UTC
Gitlab virtio-fs virtiofsd merge_requests 160 0 None opened Add supplementary group extension support 2023-04-18 09:45:44 UTC
Red Hat Bugzilla 2141629 0 unspecified CLOSED [virtiofsd] Keep `DAC_OVERRIDE` after changing the uid/gid 2023-07-28 01:10:04 UTC
Red Hat Issue Tracker KATA-1776 0 None None None 2023-04-18 09:44:40 UTC
Red Hat Issue Tracker RHELPLAN-155022 0 None None None 2023-04-18 09:45:11 UTC

Description German Maglione 2023-04-18 09:43:16 UTC 
Kernel version 6.3 adds support for sending the user supplementary groups (Bug 2134128):

https://lore.kernel.org/lkml/Y%2FzYyN7NeLKusmSj@miu.piliscsaba.redhat.com/#r

The current version of virtiofsd only implements a workaround to this problem.
It keeps CAP_DAC_OVERRIDE after switching uid/gid (Bug 2141629), but this trick doesn't work over NFS or CephFS. This is also required to fix https://issues.redhat.com/browse/KATA-1776

How reproducible:
100%

Steps to Reproduce:
1. start virtiofsd over a NFS shared dir
root# virtiofsd --shared-dir=/.../some_nfs_shared_dir ...

2. start the guest.

3. (in guest) mount the virtiofs
root#  mount -t virtiofs myfs /mnt

4. (in guest) add a user and it to the wheel group (as supplementary group)
root# useradd u1
root# passwd u1
root# usermod -G wheel u1

5. (in guest) as root, create a test directory
root# mkdir -m 0770 testdir
root# chgrp wheel testdir

6. (in guest) switch to u1 user and try to create a file inside the test directory
root# su u1
u1$ touch testdir/file


Actual results:
fails with "Permission denied"

Expected results:
# ls -l testdir/file 
-rw-r--r-- 1 user user 0 nov 10 11:12 testdir/file
Comment 1 xiagao 2023-07-21 03:08:15 UTC 
Test with kernel pkg in https://bugzilla.redhat.com/show_bug.cgi?id=2134128#c14 together, the result is good with no permission issue with nfs as the virtiofs backend.
So preverify it.
Comment 2 Yanan Fu 2023-07-25 05:45:28 UTC 
Anyone who can help update the 'Fixed in Version' field with the build nvr please ? Thanks!
Comment 5 xiagao 2023-07-28 10:12:36 UTC 
Verify this bug with virtiofsd-1.7.
Note You need to log in before you can comment on or make changes to this bug.