202659 – rpcsec_gss has a 16-group limit

Bug 202659 - rpcsec_gss has a 16-group limit

Summary: rpcsec_gss has a 16-group limit

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	10.2-RELEASE
Hardware:	Any Any

Importance:	Normal Affects Some People
Assignee:	Josh Paetzel

URL:
Keywords:	patch

Duplicates (1):	168335 (view as bug list)
Depends on:
Blocks:

Reported:	2015-08-25 18:36 UTC by Matthew L. Dailey
Modified:	2015-11-10 14:22 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Patch for svc_rpcsec_gss to switch from RPCAUTH_UNIXGIDS to NGROUPS (986 bytes, patch) 2015-08-25 18:36 UTC, Matthew L. Dailey	no flags	Details \| Diff
Patch for gssd to switch from NGRPS to NGROUPS (361 bytes, patch) 2015-08-25 18:37 UTC, Matthew L. Dailey	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthew L. Dailey 2015-08-25 18:36:26 UTC

Created attachment 160354 [details]
Patch for svc_rpcsec_gss to switch from RPCAUTH_UNIXGIDS to NGROUPS

System: FreeBSD freebsd-test 10.2-RELEASE FreeBSD 10.2-RELEASE #1: Fri Aug 21 11:12:07 EDT 2015     root@freebsd-test.thayer.dartmouth.edu:/usr/obj/usr/src/sys/GENERIC_GSS  amd64
I have observed this issue as far back as 9.1-RELEASE.

Overview:
The kernel code for svc_rpcsec_gss and the userspace code for gssd implement a 16-group limit for users.

Steps to reproduce:
The first step is to have a working FreeBSD nfs4 server tied into a kerberos infrastructure and exporting directories with one of the krb5 security flavors 
The FreeBSD nfs4 server requires a kernel built with:
options         KGSSAPI
device          crypto

Here is the simple /etc/exports on the server:
V4: /exports -sec=krb5:krb5i
/exports -sec=krb5

Add a user to more than 16 groups on the nfs4 server:
# groups testuser
staff group1 group2 group3 group4 group5 group6 group7 group8 group9 group10 group11 group12 group13 group14 group15 group16

Set permissions on an exported directory for the 17th or higher group
# ls -ld /exports/group16
drwxrwxr-x  2 root  group16  3 Aug 21 13:08 /exports/group16

Try to access this directory as this user from a remote client
# mount -t nfs4 -osec=krb5,nosuid freebsd-test:/ /mnt/exports
$ touch /mnt/exports/group16/testfile
touch: cannot touch `/mnt/exports/group16/testfile`: Permission denied

Directories with permissions for the 16th and under groups work:
server# ls -ld /exports/group15
drwxrwxr-x  2 root  group15  3 Aug 21 10:29 /exports/group15
client$ touch /mnt/exports/group15/testfile
client$ ls -al /mnt/exports/group15/testfile
-rw-r--r-- 1 testuser group15 0 Aug 21 10:29 /mnt/exports/group15/testfile

Problem description:
This problem appears to come from defines in both sys/rpc/rpcsec_gss/svc_rpcsec_gss.c and usr.sbin/gssd/gssd.c

In sys/rpc/rpcsec_gss/svc_rpcsec_gss.c, the group limit is defined using RPCAUTH_UNIXGIDS. It looks like this may have originally come from sys/fs/nfs/rpc2.h, but I don't think this is included by the code, so RPCAUTH_UNIXGIDS is defined locally.

In usr.sbin/gssd/gssd.c, the group limit is defined using NGRPS. This comes ultimately from sys/rpc/auth_unix.h, which is included in gssd.c from sys/rpc/rpc.h.

Proposed solution:
In both cases, I would propose that this be fixed by using the NGROUPS definition from sys/sys/param.h instead of the existing definitions. This will not only lift the current 16-group limit, but allow the code to track future increases in this value.

There was previously a buffer issue in gssd that prevented this increase, but this was fixed in May 2013 in base r250176.

We have been running a production system (originally 9.1-RELEASE, upgraded to 9.3-RELEASE in March 2015) where I raised the limit in both svc_rpcsec_gss.c and gssd.c to 256 groups. This has been running since May 2013 without any problems. I have also tested these exact patches on a 10.2-RELEASE system, and experienced no problems in limited testing.

Attached are my proposed patches. Please let me know if you have any questions or need any other information about these patches.

Comment 1 Matthew L. Dailey 2015-08-25 18:37:13 UTC

Created attachment 160355 [details]
Patch for gssd to switch from NGRPS to NGROUPS

Comment 2 Josh Paetzel freebsd_committer

2015-09-24 15:28:18 UTC

Rick,

Do you have any thoughts about this change?

Comment 3 Josh Paetzel freebsd_committer

2015-09-26 14:20:16 UTC

In private email both rmacklem@ and dfr@ have approved this.

In addition the submitter has been running with this change in production for over two years.

Comment 4 commit-hook freebsd_committer

2015-09-26 16:30:36 UTC

A commit references this bug:

Author: jpaetzel
Date: Sat Sep 26 16:30:18 UTC 2015
New revision: 288272
URL: https://svnweb.freebsd.org/changeset/base/288272

Log:
  Increase group limit for kerberized NFSv4

  PR:	202659
  Submitted by:	matthew.l.dailey@dartmouth.edu
  Reviewed by:	rmacklem dfr
  MFC after:	1 week
  Sponsored by:	iXsystems

Changes:
  head/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c
  head/usr.sbin/gssd/gssd.c

Comment 5 commit-hook freebsd_committer

2015-10-05 17:15:18 UTC

A commit references this bug:

Author: jpaetzel
Date: Mon Oct  5 17:15:05 UTC 2015
New revision: 288827
URL: https://svnweb.freebsd.org/changeset/base/288827

Log:
  MFC 288272

  Increase group limit for kerberized NFSv4

  PR:	202659
  Submitted by:	matthew.l.dailey@dartmouth.edu
  Reviewed by:	rmacklem dfr
  Sponsored by:	iXsystems

Changes:
_U  stable/10/
  stable/10/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c
  stable/10/usr.sbin/gssd/gssd.c

Comment 6 Josh Paetzel freebsd_committer

2015-10-12 21:20:36 UTC

*** Bug 168335 has been marked as a duplicate of this bug. ***