Hello,
after upgrading our nfs-server from 4.9.75 to 4.9.78 group permissions stop working (for clients). If you need group permissions to access a file or directory, sometimes access is granted, but rather often denied. Often access to the same object is denied within seconds after access was granted in an earlier access. user permissions work fine.
Downgrading to 4.9.75 fixes the issue.
We use kerberos.
Regards,
On Mon, Jan 29, 2018 at 01:22:49PM +0100, Wolfgang Walter wrote:
Hello,
after upgrading our nfs-server from 4.9.75 to 4.9.78 group permissions stop working (for clients). If you need group permissions to access a file or directory, sometimes access is granted, but rather often denied. Often access to the same object is denied within seconds after access was granted in an earlier access. user permissions work fine.
Downgrading to 4.9.75 fixes the issue.
Any chance you can use 'git bisect' to find the offending commit?
And also, does 4.14 work properly for you? 4.15?
thanks,
greg k-h
Hello!
Am Montag, 29. Januar 2018, 13:22:49 schrieb Wolfgang Walter:
Hello,
after upgrading our nfs-server from 4.9.75 to 4.9.78 group permissions stop working (for clients). If you need group permissions to access a file or directory, sometimes access is granted, but rather often denied. Often access to the same object is denied within seconds after access was granted in an earlier access. user permissions work fine.
Downgrading to 4.9.75 fixes the issue.
We use kerberos.
Regards,
This seems to be fixed in 4.15 with commit 1995266727fa8143897e89b55f5d3c79aa828420:
commit 1995266727fa8143897e89b55f5d3c79aa828420 Author: Ben Hutchings ben.hutchings@codethink.co.uk Date: Mon Jan 22 20:11:06 2018 +0000
nfsd: auth: Fix gid sorting when rootsquash enabled
Commit bdcf0a423ea1 ("kernel: make groups_sort calling a responsibility group_info allocators") appears to break nfsd rootsquash in a pretty major way.
It adds a call to groups_sort() inside the loop that copies/squashes gids, which means the valid gids are sorted along with the following garbage. The net result is that the highest numbered valid gids are replaced with any lower-valued garbage gids, possibly including 0.
We should sort only once, after filling in all the gids.
Fixes: bdcf0a423ea1 ("kernel: make groups_sort calling a responsibility ...") Signed-off-by: Ben Hutchings ben.hutchings@codethink.co.uk Acked-by: J. Bruce Fields bfields@redhat.com Signed-off-by: Linus Torvalds torvalds@linux-foundation.org
So this should be applied to stables 4.4, 4.9 and 4.14 (and others where bdcf0a423ea1 has been backported to).
Regards,
On Mon, Jan 29, 2018 at 02:42:49PM +0100, Wolfgang Walter wrote:
Hello!
Am Montag, 29. Januar 2018, 13:22:49 schrieb Wolfgang Walter:
Hello,
after upgrading our nfs-server from 4.9.75 to 4.9.78 group permissions stop working (for clients). If you need group permissions to access a file or directory, sometimes access is granted, but rather often denied. Often access to the same object is denied within seconds after access was granted in an earlier access. user permissions work fine.
Downgrading to 4.9.75 fixes the issue.
We use kerberos.
Regards,
This seems to be fixed in 4.15 with commit 1995266727fa8143897e89b55f5d3c79aa828420:
commit 1995266727fa8143897e89b55f5d3c79aa828420 Author: Ben Hutchings ben.hutchings@codethink.co.uk Date: Mon Jan 22 20:11:06 2018 +0000
nfsd: auth: Fix gid sorting when rootsquash enabledCommit bdcf0a423ea1 ("kernel: make groups_sort calling a responsibility group_info allocators") appears to break nfsd rootsquash in a pretty major way. It adds a call to groups_sort() inside the loop that copies/squashes gids, which means the valid gids are sorted along with the following garbage. The net result is that the highest numbered valid gids are replaced with any lower-valued garbage gids, possibly including 0. We should sort only once, after filling in all the gids. Fixes: bdcf0a423ea1 ("kernel: make groups_sort calling a responsibility ...") Signed-off-by: Ben Hutchings ben.hutchings@codethink.co.uk Acked-by: J. Bruce Fields bfields@redhat.com Signed-off-by: Linus Torvalds torvalds@linux-foundation.org
So this should be applied to stables 4.4, 4.9 and 4.14 (and others where bdcf0a423ea1 has been backported to).
Ah, good catch, I missed that this had been merged already.
Now queued up to all relevant stable trees, thanks so much for the report.
greg k-h
linux-stable-mirror@lists.linaro.org
-
Greg KH -
Wolfgang Walter