From e17178808f7430a17b4cfe8f407b7c2a825d285a Mon Sep 17 00:00:00 2001 From: Sebastien Buisson Date: Fri, 5 Oct 2018 20:51:57 +0900 Subject: [PATCH] LU-9795 mdt: only set groups if GID is not squashed In new_init_ucred(), only set groups for local client if GID is not squashed. Otherwise, GID squashing would be by-passed. Test-Parameters: testlist=sanity-sec envdefinitions=ONLY="17 18 19 20 21 22",SHARED_KEY=true Signed-off-by: Sebastien Buisson Change-Id: I56961c62a93d99e6a62c72cca7b4fa6e9b3388b9 Reviewed-on: https://review.whamcloud.com/33316 Tested-by: Jenkins Reviewed-by: John L. Hammond Tested-by: Maloo Reviewed-by: James Simmons Reviewed-by: Oleg Drokin --- lustre/mdt/mdt_lib.c | 10 +++++++++- lustre/tests/sanity-sec.sh | 30 ++++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/lustre/mdt/mdt_lib.c b/lustre/mdt/mdt_lib.c index dddf727..6e5fbf3 100644 --- a/lustre/mdt/mdt_lib.c +++ b/lustre/mdt/mdt_lib.c @@ -178,6 +178,7 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type, __u32 perm = 0; int setuid; int setgid; + bool is_nm_gid_squashed = false; int rc = 0; ENTRY; @@ -220,6 +221,10 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type, ucred->uc_suppgids[0] = -1; ucred->uc_suppgids[1] = -1; } + + if (nodemap && ucred->uc_o_gid == nodemap->nm_squash_gid) + is_nm_gid_squashed = true; + nodemap_putref(nodemap); if (type == BODY_INIT) { @@ -288,7 +293,8 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type, } if (perm & CFS_SETGRP_PERM) { - if (pud->pud_ngroups) { + /* only set groups if GID is not squashed */ + if (pud->pud_ngroups && !is_nm_gid_squashed) { /* setgroups for local client */ ucred->uc_ginfo = groups_alloc(pud->pud_ngroups); if (!ucred->uc_ginfo) { @@ -301,6 +307,8 @@ static int new_init_ucred(struct mdt_thread_info *info, ucred_init_type_t type, pud->pud_groups); lustre_groups_sort(ucred->uc_ginfo); } else { + ucred->uc_suppgids[0] = -1; + ucred->uc_suppgids[1] = -1; ucred->uc_ginfo = NULL; } } else { diff --git a/lustre/tests/sanity-sec.sh b/lustre/tests/sanity-sec.sh index 57311e2..fbdcaae 100755 --- a/lustre/tests/sanity-sec.sh +++ b/lustre/tests/sanity-sec.sh @@ -1541,6 +1541,11 @@ test_16() { run_test 16 "test nodemap all_off fileops" test_17() { + if $SHARED_KEY && + [ $(lustre_version_code $SINGLEMDS) -lt $(version_code 2.11.55) ]; then + skip "Need MDS >= 2.11.55" + fi + nodemap_version_check || return 0 nodemap_test_setup @@ -1552,6 +1557,11 @@ test_17() { run_test 17 "test nodemap trusted_noadmin fileops" test_18() { + if $SHARED_KEY && + [ $(lustre_version_code $SINGLEMDS) -lt $(version_code 2.11.55) ]; then + skip "Need MDS >= 2.11.55" + fi + nodemap_version_check || return 0 nodemap_test_setup @@ -1563,6 +1573,11 @@ test_18() { run_test 18 "test nodemap mapped_noadmin fileops" test_19() { + if $SHARED_KEY && + [ $(lustre_version_code $SINGLEMDS) -lt $(version_code 2.11.55) ]; then + skip "Need MDS >= 2.11.55" + fi + nodemap_version_check || return 0 nodemap_test_setup @@ -1574,6 +1589,11 @@ test_19() { run_test 19 "test nodemap trusted_admin fileops" test_20() { + if $SHARED_KEY && + [ $(lustre_version_code $SINGLEMDS) -lt $(version_code 2.11.55) ]; then + skip "Need MDS >= 2.11.55" + fi + nodemap_version_check || return 0 nodemap_test_setup @@ -1585,6 +1605,11 @@ test_20() { run_test 20 "test nodemap mapped_admin fileops" test_21() { + if $SHARED_KEY && + [ $(lustre_version_code $SINGLEMDS) -lt $(version_code 2.11.55) ]; then + skip "Need MDS >= 2.11.55" + fi + nodemap_version_check || return 0 nodemap_test_setup @@ -1607,6 +1632,11 @@ test_21() { run_test 21 "test nodemap mapped_trusted_noadmin fileops" test_22() { + if $SHARED_KEY && + [ $(lustre_version_code $SINGLEMDS) -lt $(version_code 2.11.55) ]; then + skip "Need MDS >= 2.11.55" + fi + nodemap_version_check || return 0 nodemap_test_setup -- 1.8.3.1