Ubuntu
linux-source-2.6.20 package

Permission denied when user belongs to group that owns group writable or setgid directories mounted via nfs

Bug #110132 reported by Jon Skanes

This bug report was converted into a question: question #24054: Permission denied when user belongs to group that owns group writable or setgid directories mounted via nfs.

8
Affects Status Importance Assigned to Milestone
linux-source-2.6.20 (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: linux-source-2.6.20

This problem manifested itself after upgrading to feisty. It occurs with both NFSv3 and NFSv4.

This seems to be a serious problem. Not having access to group permissions makes NFS rather useless.

Here's a sample directory structure:

vicky@vickylaptopwired:/export$ ls -l
total 4
drwxrwsr-x 14 root store 4096 2007-04-25 19:16 store

vicky@vickylaptopwired:/export$ ls -l store
total 204
drwxrwx--- 4 jon media 4096 2006-11-04 20:09 Books
drwx------ 2 root root 16384 2006-07-07 17:17 lost+found
drwxrws--- 19 jon media 49152 2006-12-23 13:18 Pics
drwxrwsr-x 4 jon prism 4096 2007-01-25 07:14 Prism
drwxrwsr-x 11 jon software 4096 2007-03-27 09:53 Software
drwxrwsr-x 3 jon store 4096 2007-03-27 12:16 Temp

Here's vicky's group memberships:
vicky@vickylaptopwired:/export$ id vicky
uid=1001(vicky) gid=1001(vicky) groups=1001(vicky),0(root),4(adm),20(dialout),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),60(games),100(users),101(dhcp),102(syslog),109(lpadmin),111(scanner),113(admin),407(media),401(prism),403(software),402(store)

Here's the error:
vicky@vickylaptopwired:/export/store$ cd Books/
-su: cd: Books/: Permission denied

I, as user jon, have no problem.

Thanks,
Jon

Tags: client nfs
Revision history for this message
Jon Skanes (jon-skanes) wrote :

It seems I'm not the only one with the problem:

http://ubuntuforums.org/showthread.php?t=295765

Revision history for this message
Miguel Yarza (miguel-yarza) wrote :

Same problem here.
I had a nfs server with edgy and two nfs clients with edgy, I upgraded one of the clients to feisty and got "Permission denied" in group writable files while the other edgy client works correctly.

uids and gids are the same in server and clients.

topo@server:/etc$ cat exports
/media/server_media \
192.168.1.0/255.255.255.0(no_root_squash,rw,secure,async,no_subtree_check,mountpoint)

topo@clientfeisty:/server_media/test$ mount
server:/media/server_media on /var/autofs/misc/server_media type nfs (rw,rsize=8192,wsize=8192,hard,intr,nfsvers=3,actimeo=0,addr=192.168.1.179)

topo@clientfeisty:/server_media/test$ id
uid=1000(topo) gid=1000(topo) groups=4(adm),20(dialout),21(fax),24(cdrom),25(floppy),26(tape),29(audio),30(dip),44(video),46(plugdev),105(mythtv),106(lpadmin),110(scanner),112(admin),1000(topo),1003(media),1004(camera)

topo@clientfeisty:/server_media/test$ ls -al
total 12
drwxrwsr-x 2 topo media 4096 2007-05-03 02:40 .
drwxrwsr-x 21 root media 4096 2007-05-03 02:39 ..
-rw-rw-r-- 1 mikel media 4 2007-05-03 02:41 foo

topo@clientfeisty:/server_media/test$ echo "bar" > foo
bash: foo: Permission denied

Thanks,
Miguel

Revision history for this message
Miguel Yarza (miguel-yarza) wrote :

Jon, it is not a bug, is a limitation of the nfs filesystem, that sends only the 16 first groups you belong in the request, in your case group media is 18, so the permission is not granted.
You can see an explanation and possible solutions at:
http://nfsworld.blogspot.com/2005/03/whats-deal-on-16-group-id-limitation.html
I think the problem appeared when we upgraded to feisty because our users were added to new groups exceeding the 16 group limit.
I think the bug should be closed.
Regards ,

Miguel

Revision history for this message
Joakim Larsson (joakim-bildrulle) wrote :

I just stumbled on this one which has been a problem for people where I work for almost a year. Most people having this problem either converted to other Linux dists such as Suse or in a couple of cases even worse, back to Windows. People started to have two computers just to be able to work in Ubuntu and have one that worked with the NFS network. We looked everywhere in the network for the problem.

I think this is a Ubuntu problem using so many groups in its configuration and I think an effort to diagnoce the problem and to control it would be very useful and beneficial for Ubuntu. The problem is that the NIS groups are added to the list of local groups so there is no way to know in advance how many groups do we have.

Instead the NFS client could try to figure out what groups are of interest for a particular RPC by examining the target directory/file ownership or it could retry with a new set of group ID:s until all have been tried. Today it seems that the group ID:s are sent sorted in ascending order and no warning are produced about the chopped of group ID:s. I think the NFS client handling could be improved.

BR

Joakim

Revision history for this message
eric4143 (eric-young242000) wrote :

I lost sound to my computer and I find it strange cause my sound works at the login screen but as soon as I login I lose sound completely

Changed in linux-source-2.6.20:
status: New → Invalid
Revision history for this message
Chris C (chrisc-optonline) wrote :

It is a RPC limitation not NFS. Check this site for details:
http://nfsworld.blogspot.com/2005/03/whats-deal-on-16-group-id-limitation.html

Revision history for this message
Yaroslav Halchenko (yarikoptic) wrote :

unfortunately yet again bug report is closed with some excuses and without actually doing a valid resolution of the problem...

here you can find an answer on how problem can actually be solved (many kudos to C Shore)
http://ubuntuforums.org/showpost.php?p=5042655&postcount=4

And here are the details from a man page of rpc.mountd:
       -g or --manage-gids
              Accept requests from the kernel to map user id numbers into
              lists of group id numbers for use in access control. An NFS
              request will normally (except when using Kerberos or other
              cryptographic authentication) contains a user-id and a list
              of group-ids. Due to a limitation in the NFS protocol, at
              most 16 groups ids can be listed. If you use the -g flag,
              then the list of group ids received from the client will be
              replaced by a list of group ids determined by an appropriate
              lookup on the server. Note that the ’primary’ group id is not
              affected so a newgroup command on the client will still be
              effective. This function requires a Linux Kernel with ver‐
              sion at least 2.6.21.

Does problem persists (ie current configuration doesn't address it)? YES
Does ubuntu come now with kernel > 2.6.21? YES
Is it possible to solve the problem without much sweat? YES
Is default installation anyhow addresses or hints on possible solution? NO afaik

Revision history for this message
Yaroslav Halchenko (yarikoptic) wrote :

ah... nothing to worry about... Debian people have fixed it (as of nfs-utils 1.1.4-1)
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=493059

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.