| Message ID | 20230118145652.35953-1-chengen.du@canonical.com |
|---|---|
| Headers | show |
| Series | NFS: client permission error after adding user to permissible group | expand |
On 1/18/23 7:56 AM, Chengen Du wrote: > [Impact] > The NFS client's access cache becomes stale due to the user's group membership changing on the server after the user has already logged in on the client. > The access cache only expires if either NFS_INO_INVALID_ACCESS flag is on or timeout (without delegation). > Adding a user to a group in the NFS server will not cause any file attributes to change. > The client will encounter permission errors until other file attributes are changed or the memory cache is dropped. > > [Fix] > The access cache shall be cleared once the user logs out and logs back in again. > > 0eb43812c0270ee3d005ff32f91f7d0a6c4943af NFS: Clear the file access cache upon login > 029085b8949f5d269ae2bbd14915407dd0c7f902 NFS: Judge the file access cache's timestamp in rcu path > 5e9a7b9c2ea18551759833146a181b14835bfe39 NFS: Fix up a sparse warning > > [Test Plan] > 1.[client side] testuser is not part of testgroup > testuser@kinetic:~$ ls -ld /mnt/private/ > drwxrwx--- 2 root testgroup 4096 Nov 24 08:23 /mnt/private/ > testuser@kinetic:~$ mktemp -p /mnt/private/ > mktemp: failed to create file via template > ‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied > 2.[server side] add testuser into testgroup, which has access to folder > root@kinetic:~$ usermod -aG testgroup testuser && > echo `date +'%s'` > /proc/net/rpc/auth.unix.gid/flush > 3.[client side] create a file again but still fail > testuser@kinetic:~$ mktemp -p /mnt/private/ > mktemp: failed to create file via template > ‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied > > [Where problems could occur] > The fix will apply upstream commits, so the regression can be considered as low. > > Chengen Du (1): > (upstream) NFS: Judge the file access cache's timestamp in rcu path > > NeilBrown (1): > (upstream) cred: add cred_fscmp() for comparing creds. > > Trond Myklebust (2): > (upstream) NFS: Clear the file access cache upon login > (upstream) NFS: Fix up a sparse warning > > fs/nfs/dir.c | 30 +++++++++++++++++++++++ > include/linux/cred.h | 1 + > include/linux/nfs_fs.h | 1 + > kernel/cred.c | 55 ++++++++++++++++++++++++++++++++++++++++++ > 4 files changed, 87 insertions(+) > I think patches 2 and 3 are deserving of some explanation for how the backport was performed. Typically that information is added just below the "(backported from ...)" line in the form: [chengen - some context adjustment. Retrieved current credentials using current_cred(). etc...]