Group permissions not respected with "--manage-gids" enabled

Bug #1454112 reported by Elefterios Lundell on 2015-05-12
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
nfs-utils (Ubuntu)
Undecided
Unassigned

Bug Description

user@cloudVM:/mnt/extraFiles/chroot/home$ ls -l
total 20
drwxrws--- 6 storageUsers storageUsers 4096 maj 12 08:14 actualCommonFiles
drwxr-xr-x 2 root root 4096 maj 12 07:32 commonFilesR
drwxrwxr-x 8 user user 4096 maj 12 08:14 user
drwxrwxr-x 2 user user 4096 maj 9 16:52 guest
drwxr-xr-x 3 storageUsers storageUsers 4096 maj 12 08:50 test

user@cloudVM:/mnt/extraFiles/chroot/home$ groups
user storageUsers commonFilesRW

     ---With "--manage-gids" enabled in /etc/default/nfs-kernel-server (default for Ubuntu 14.04):
user@cloudVM:/mnt/extraFiles/chroot/home$ cd actualCommonFiles/
bash: cd: actualCommonFiles/: Permission denied

     ---Without --manage-gids":
user@cloudVM:/mnt/extraFiles/chroot/home$ cd actualCommonFiles/
user@cloudVM:/mnt/extraFiles/chroot/home/actualCommonFiles$

========

- Expected:

"user" is member of "storageUsers" and should have Read, Write, and List rights for "actualCommonFiles". "cd" should be successful.

- Happened:

"user" was denied access to the "storageUsers" directory.

=======

- This bug has been filed a long time ago https://bugs.launchpad.net/ubuntu/+source/linux/+bug/409366 but was closed.

- NFS Server:

Release:
   Ubuntu 14.04.2 LTS
nfs-kernel-server version:
   Installed: 1:1.2.8-6ubuntu1

- NFS Client:

Release:
   Debian 8
nfs-common:
   Installed: 1:1.2.8-9

//Please excuse any mistakes, this is my first bug report, Thank You.

affects: linux (Ubuntu) → nfs-utils (Ubuntu)
description: updated
tags: added: precise
leah (leah-mail) wrote :

I have same situation with ubuntu server 14.04.2, kernel 3.13.0-32-generic, nfs-kernel-server 1:1.2.8-6ubuntu1

As workarround for me, I disable --manage-gids option. I not have a users more than 16 groups.

I use nfs-clients on RHEL 6.4.

leah (leah-mail) wrote :

In addition if --manage-gids is enabled.
User can access to any own group if he switch primary group via sg command
As example: a user own to t1,t2,t3 groups.
cd t2
# access denied
sg t2
cd t2
# access permitted

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in nfs-utils (Ubuntu):
status: New → Confirmed

Can confirm with Ubuntu 16.04 LTS. Workaround was to disable -manage-gids option (in /etc/default/nfs-kernel-server) but something is clearly broken.

Emile Snyder (emile-snyder) wrote :

I suspect that this may be working as designed, and the problem is a misunderstanding of what --manage-gids is supposed to do?

I brought up 2 VMs, server & client. On each, I have a user 'emsnyder' (ldap managed) and 'stack' (not ldap), and a group 'disk.' All the uids and gids match for these users and groups.

emsnyder@server> sudo chown emsnyder:disk /srv/somedisk
emsnyder@server> sudo chmod 775 /srv/somedisk
emsnyder@server> id
uid=110259082(emsnyder) gid=65534(nogroup) groups=65534(nogroup)
emsnyder@server> sudo /etc/init.d/nfs-kernel-server start

emsnyder@client> id
uid=110259082(emsnyder) gid=65534(nogroup) groups=65534(nogroup),6(disk)
emsnyder@client> sudo mount -t nfs server:/srv/somedisk /mnt
emsnyder@client> ls -ld /mnt
drwxrwxr-x 4 emsnyder disk 4096 May 27 12:08 /mnt
emsnyder@client> date > /mnt/f
emsnyder@client> ls -l /mnt
total 20
-rw-r--r-- 1 emsnyder nogroup 31 May 27 12:40 f
drwx------ 2 root root 16384 May 27 11:13 lost+found
emsnyder@client> chown emsnyder:disk /mnt/f
chown: changing ownership of ‘/mnt/f’: Operation not permitted

But if I then
emsnyder@server> sudo adduser emsnyder disk
emsnyder@server> sudo exportfs -r

emsnyder@client> chown emsnyder:disk /mnt/f
emsnyder@client> ls -l /mnt
total 20
-rw-r--r-- 1 emsnyder disk 31 May 27 12:40 f
drwx------ 2 root root 16384 May 27 11:13 lost+found

The --manage-gids (confusingly named, IMHO) means that the server side ignores the group membership information from the client, and looks just at what groups the user has on the server side. Since emsnyder started out without the 'disk' group membership on the server, the chown is denied. Once I added emsnyder to the disk group on the server side, the operation succeeds.

Also, the --manage-gids option is a configuration for the /usr/sbin/rpc.mountd program, which is part of the nfs-kernel-server package, not nfs-utils.

Emile Snyder (emile-snyder) wrote :

Also, I think this should be pointed out in the https://help.ubuntu.com/community/SettingUpNFSHowTo#Group_Permissions page (that page incorrectly, for the default Ubuntu config) states that it's the group permissions on the client that matter, not the server.

But it's not a user editable page, and I couldn't figure out how/where to submit a change in the time I had available to look.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers