NetBSD Problem Report #18222
Received: (qmail 24174 invoked by uid 605); 7 Sep 2002 18:03:09 -0000
Message-Id: <20020907180306.3D3FCAC@proven.weird.com>
Date: Sat, 7 Sep 2002 14:03:06 -0400 (EDT)
From: woods@weird.com (Greg A. Woods)
Sender: gnats-bugs-owner@netbsd.org
Reply-To: woods@planix.com (Greg A. Woods)
To: gnats-bugs@gnats.netbsd.org
Subject: patch to allow a uid or gid of (-2) matching default NFS mapping for remote root users
X-Send-Pr-Version: 3.95
>Number: 18222
>Category: bin
>Synopsis: patch to allow a uid or gid of (-2) matching default NFS mapping for remote root users
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Sep 07 18:04:01 +0000 2002
>Closed-Date:
>Last-Modified: Sat Sep 07 21:22:00 +0000 2002
>Originator: Greg A. Woods
>Release: 2002/09/06
>Organization:
Planix, Inc.; Toronto, Ontario; Canada
>Environment:
System: NetBSD
>Description:
Mountd(8) uses the vaule '-2' as the default "maroot" user-ID
and group-ID (i.e. it is the UID and GID that root users from
remote clients are mapped into when they access files on the NFS
server). Unfortunately due to checks in pw_scan(3) it's
impossible for the NFS server administrator to add a user with
this user-ID to the local password file (eg. so that files
created by remote NFS client root users will show up with a
meaningful local username).
This is due to the current artificial ceiling on the values of
UID_MAX and GID_MAX, used by the checks imposed in pw-scan(3).
Given that uid_t and gid_t are defined as u_int32_t I believe
the only integer value that is actually invalid for a user-ID or
group-ID is UINT_MAX (i.e. -1 when converted to an int32_t).
(even -1 may not be strictly necessary to reserve, but it's used
as an error value in so many places that not reserving it is
only an invitation to problems)
>How-To-Repeat:
Attempt to add a line like the following to /etc/master.passwd
using vipw(8):
nfsnbody:*:4294967294:4294967294::0:0:NFS unprivileged (default maproot) user:/nonexistant:/sbin/nologin
>Fix:
increase UID_MAX and GID_MAX to (UINT_MAX-1)
Index: syslimits.h
===================================================================
RCS file: /cvs/NetBSD/src/sys/sys/syslimits.h,v
retrieving revision 1.1.1.7
diff -c -r1.1.1.7 syslimits.h
*** syslimits.h 13 Jun 2001 07:04:40 -0000 1.1.1.7
--- syslimits.h 7 Sep 2002 17:35:12 -0000
***************
*** 43,55 ****
#if !defined(_ANSI_SOURCE)
#define ARG_MAX (256 * 1024) /* max bytes for an exec function */
#define CHILD_MAX 160 /* max simultaneous processes */
! #define GID_MAX 2147483647U /* max value for a gid_t (2^31-2) */
#define LINK_MAX 32767 /* max file link count */
#define MAX_CANON 255 /* max bytes in term canon input line */
#define MAX_INPUT 255 /* max bytes in terminal input */
#define NAME_MAX 255 /* max bytes in a file name */
#define NGROUPS_MAX 16 /* max supplemental group id's */
! #define UID_MAX 2147483647U /* max value for a uid_t (2^31-2) */
#define OPEN_MAX 64 /* max open files per process */
#define PATH_MAX 1024 /* max bytes in pathname */
#define PIPE_BUF 512 /* max bytes for atomic pipe writes */
--- 43,55 ----
#if !defined(_ANSI_SOURCE)
#define ARG_MAX (256 * 1024) /* max bytes for an exec function */
#define CHILD_MAX 160 /* max simultaneous processes */
! #define GID_MAX (UINT_MAX-1) /* max value for a gid_t (2^32-1) */
#define LINK_MAX 32767 /* max file link count */
#define MAX_CANON 255 /* max bytes in term canon input line */
#define MAX_INPUT 255 /* max bytes in terminal input */
#define NAME_MAX 255 /* max bytes in a file name */
#define NGROUPS_MAX 16 /* max supplemental group id's */
! #define UID_MAX (UINT_MAX-1) /* max value for a uid_t (2^32-1) */
#define OPEN_MAX 64 /* max open files per process */
#define PATH_MAX 1024 /* max bytes in pathname */
#define PIPE_BUF 512 /* max bytes for atomic pipe writes */
>Release-Note:
>Audit-Trail:
From: David Laight <david@l8s.co.uk>
To: netbsd-bugs@netbsd.org
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: bin/18222: patch to allow a uid or gid of (-2) matching default NFS mapping for remote root users
Date: Sat, 7 Sep 2002 19:23:10 +0100
> >Synopsis: patch to allow a uid or gid of (-2) matching default
> NFS mapping for remote root users
>
> increase UID_MAX and GID_MAX to (UINT_MAX-1)
Wouldn't it be better to use (~(uid_t)0 - 1) and (~(gid_t)0 - 1) ?
David
--
David Laight: david@l8s.co.uk
From: David Laight <david@l8s.co.uk>
To: netbsd-bugs@netbsd.org
Cc: gnats-bugs@gnats.netbsd.org
Subject: Re: bin/18222: patch to allow a uid or gid of (-2) matching default NFS mapping for remote root users
Date: Sat, 7 Sep 2002 19:44:09 +0100
On Sat, Sep 07, 2002 at 07:23:10PM +0100, David Laight wrote:
> > >Synopsis: patch to allow a uid or gid of (-2) matching default
> > NFS mapping for remote root users
> >
> > increase UID_MAX and GID_MAX to (UINT_MAX-1)
>
> Wouldn't it be better to use (~(uid_t)0 - 1) and (~(gid_t)0 - 1) ?
A quick look at the history of syslimits.h (brought on by the fact
that the comments for these values didn't match the value) shows
that the limit has been 2^32-2 before.
It was changed because setreu/gid() allows -1 (meaning don't
change) which has to be within the domain of u/gid_t.
This is another of those types [1] whose domain is -1..MAXINT-1
that C doesn't quite copy with.
David
[1] includes pid_t and the return value from lseek(), probably
really size_t in genaral.
--
David Laight: david@l8s.co.uk
From: woods@weird.com (Greg A. Woods)
To: David Laight <david@l8s.co.uk>
Cc: netbsd-bugs@netbsd.org, gnats-bugs@gnats.netbsd.org
Subject: Re: bin/18222: patch to allow a uid or gid of (-2) matching default NFS mapping for remote root users
Date: Sat, 7 Sep 2002 15:51:08 -0400 (EDT)
[ On Saturday, September 7, 2002 at 19:23:10 (+0100), David Laight wrote: ]
> Subject: Re: bin/18222: patch to allow a uid or gid of (-2) matching default NFS mapping for remote root users
>
> > >Synopsis: patch to allow a uid or gid of (-2) matching default
> > NFS mapping for remote root users
> >
> > increase UID_MAX and GID_MAX to (UINT_MAX-1)
>
> Wouldn't it be better to use (~(uid_t)0 - 1) and (~(gid_t)0 - 1) ?
Yes, I suppose it would! Thanks!
--
Greg A. Woods
+1 416 218-0098; <g.a.woods@ieee.org>; <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>
From: woods@weird.com (Greg A. Woods)
To: netbsd-bugs@netbsd.org, gnats-bugs@gnats.netbsd.org
Cc:
Subject: Re: bin/18222: patch to allow a uid or gid of (-2) matching default NFS mapping for remote root users
Date: Sat, 7 Sep 2002 17:01:00 -0400 (EDT)
[ On Saturday, September 7, 2002 at 19:44:09 (+0100), David Laight wrote: ]
> Subject: Re: bin/18222: patch to allow a uid or gid of (-2) matching default NFS mapping for remote root users
>
> On Sat, Sep 07, 2002 at 07:23:10PM +0100, David Laight wrote:
> > > >Synopsis: patch to allow a uid or gid of (-2) matching default
> > > NFS mapping for remote root users
> > >
> > > increase UID_MAX and GID_MAX to (UINT_MAX-1)
> >
> > Wouldn't it be better to use (~(uid_t)0 - 1) and (~(gid_t)0 - 1) ?
>
> A quick look at the history of syslimits.h (brought on by the fact
> that the comments for these values didn't match the value) shows
> that the limit has been 2^32-2 before.
>
> It was changed because setreu/gid() allows -1 (meaning don't
> change) which has to be within the domain of u/gid_t.
Yes, I remember that -- but the change was ultra-conservative and
results in my "nfsanon" user being "invalid". My PR is in part in
(delayed) response to that change.
2^32-1 is the correct limit to allow for -2 as a valid value and -1 as a
special meaning to things like setreuid() [which I don't really care
about anywas as I've disabled it on my own systems for security reasons ;-)].
> This is another of those types [1] whose domain is -1..MAXINT-1
> that C doesn't quite copy with.
It's not C that's at fault -- it's bad/lazy API design. :-)
--
Greg A. Woods
+1 416 218-0098; <g.a.woods@ieee.org>; <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>
From: David Laight <david@l8s.co.uk>
To: netbsd-bugs@netbsd.org, gnats-bugs@gnats.netbsd.org
Cc:
Subject: Re: bin/18222: patch to allow a uid or gid of (-2) matching default NFS mapping for remote root users
Date: Sat, 7 Sep 2002 22:24:38 +0100
I've looked at the posix/ieee definitions of uid_t, gid_t and pid_t on
http://www.opengroup.org/onlinepubs/007904975/basedefs/sys/types.h.html
uid_t and gid_t are defined to be unsigned, and pid_t signed.
setreuid() is there, and requires -1 to be valid for an unsigned
parameter. C's 'Integral Convertions' DTRT (by K&R2) [1] but I bet
gcc will give a warning.
NetBSD sys/ansi.h seems to have an unsigned pid_t....
David
[1] by definition (unsigned long long)(signed char)-1 == ~0ull
--
David Laight: david@l8s.co.uk
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.