Package: nfs-kernel-server
Version: 1:1.2.8-9
Severity: important
Tags: fixed-upstream
Control: merge -1 709403
Dear Maintainer,
after upgrading from version 1:1.2.6-4 several exports on my server lost
their no_root_squash flag, causing "Permission denied" errors on the
corresponding clients when using root.
After some testing and debugging I came to the following conclusion:
Commit 11ba3b1e01b67b7d19f26fba94fabdb60878e809 (Add a default flavor to
an export's e_secinfo list) breaks export option parsing by exportfs in
some cases.
Upstream commit 7004991526be90ec2647d28c503936dc91bc9100 (exportfs: Fix
the default authentication flavour setting) fixes the bug as a side
effect of dealing with another problem sharing the same root cause.
The easiest workaround is to add a sec=xyz option at the beginning of
all export option strings.
My test configuration is as follows:
-- /etc/exports --
/srv/nfs4 -fsid=0,async,no_subtree_check,insecure,all_squash 10.0.0.2
10.0.0.3(secure,rw,no_root_squash,no_all_squash)
exportfs -v output from version 1:1.2.8-9:
/srv/nfs4
10.0.0.2(ro,async,wdelay,insecure,root_squash,all_squash,no_subtree_check,fsid=0,sec=sys,ro,root_squash,all_squash)
/srv/nfs4
10.0.0.3(ro,async,wdelay,root_squash,all_squash,no_subtree_check,fsid=0,sec=sys,ro,root_squash,all_squash)
but /var/lib/nfs/etab shows
/srv/nfs4
10.0.0.2(ro,async,wdelay,hide,nocrossmnt,insecure,root_squash,all_squash,no_subtree_check,secure_locks,acl,fsid=0,anonuid=65534,anongid=65534,sec=sys,ro,root_squash,all_squash)
/srv/nfs4
10.0.0.3(rw,async,wdelay,hide,nocrossmnt,secure,no_root_squash,no_all_squash,no_subtree_check,secure_locks,acl,fsid=0,anonuid=65534,anongid=65534,sec=sys,ro,root_squash,all_squash)
^ ^
^
^ ^ ^
meaning exportfs -a|-r produces an inconsistent etab line. Consequently
rw, no_root_squash and no_all_squash get dropped by exportfs -v and
mountd (last save wins). This happens under following conditions:
(1) A default option specification is present on the export line.
(2) The export line contains an export with rw, ro, [no_]root_squash or
[no_]squash_all options different from the implied or declared
default options
(3) The option string for this export doesn't contain a sec=xyz
option preceding the options named in (2).
The underlying bug is in function parseopts at ./support/nfs/exports.c:646:
A default security flavor containing duplicates of the specified default
values for the READONLY, ROOTSQUASH and ALLSQUASH flags is added to the
default options. This default flavor is erroneously reused for all exports
on the same line in spite of containing flags that can be altered by export
specifications. This results in possibly incorrect options at the end of
the export specifications in the etab file. The bug fix is to generate a
default security flavor seperately for each export that doesn't already have
one. This is in effect what upstream commit
7004991526be90ec2647d28c503936dc91bc9100 does by deferring the generation
of default security flavors as long as possible.
I have patched version 1:1.2.8-9 with upstream commit
7004991526be90ec2647d28c503936dc91bc9100 and it works as expected:
exportfs -v output from version 1:1.2.8-9.1:
/srv/nfs4
10.0.0.2(ro,async,wdelay,insecure,root_squash,all_squash,no_subtree_check,fsid=0,sec=sys,ro,root_squash,all_squash)
/srv/nfs4
10.0.0.3(rw,async,wdelay,no_root_squash,no_subtree_check,fsid=0,sec=sys,rw,no_root_squash,no_all_squash)
/var/lib/nfs/etab after exportfs -r (version 1:1.2.8-9.1):
/srv/nfs4
10.0.0.2(ro,async,wdelay,hide,nocrossmnt,insecure,root_squash,all_squash,no_subtree_check,secure_locks,acl,fsid=0,anonuid=65534,anongid=65534,sec=sys,ro,root_squash,all_squash)
/srv/nfs4
10.0.0.3(rw,async,wdelay,hide,nocrossmnt,secure,no_root_squash,no_all_squash,no_subtree_check,secure_locks,acl,fsid=0,anonuid=65534,anongid=65534,sec=sys,rw,no_root_squash,no_all_squash)
I have set the severity to important in order to be able to merge bug
#709403, which looks like an instance of the same bug to me. If this
doesn't seem appropriate please adjust as you see fit.
Regards,
Martin B
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (900, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.19.3-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages nfs-kernel-server depends on:
ii libblkid1 2.25.2-6
ii libc6 2.19-18
ii libcap2 1:2.24-8
ii libsqlite3-0 3.8.7.4-1
ii libtirpc1 0.2.5-1
ii libwrap0 7.6.q-25
ii lsb-base 4.1+Debian13+nmu1
ii nfs-common 1:1.2.8-9
ii ucf 3.0030
nfs-kernel-server recommends no packages.
nfs-kernel-server suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
