| Message ID | 20230118145721.36032-1-chengen.du@canonical.com |
|---|---|
| Headers | show |
| Series | NFS: client permission error after adding user to permissible group | expand |
On 1/18/23 7:57 AM, Chengen Du wrote: > [Impact] > The NFS client's access cache becomes stale due to the user's group membership changing on the server after the user has already logged in on the client. > The access cache only expires if either NFS_INO_INVALID_ACCESS flag is on or timeout (without delegation). > Adding a user to a group in the NFS server will not cause any file attributes to change. > The client will encounter permission errors until other file attributes are changed or the memory cache is dropped. > > [Fix] > The access cache shall be cleared once the user logs out and logs back in again. > > 0eb43812c0270ee3d005ff32f91f7d0a6c4943af NFS: Clear the file access cache upon login > 029085b8949f5d269ae2bbd14915407dd0c7f902 NFS: Judge the file access cache's timestamp in rcu path > 5e9a7b9c2ea18551759833146a181b14835bfe39 NFS: Fix up a sparse warning > > [Test Plan] > 1.[client side] testuser is not part of testgroup > testuser@kinetic:~$ ls -ld /mnt/private/ > drwxrwx--- 2 root testgroup 4096 Nov 24 08:23 /mnt/private/ > testuser@kinetic:~$ mktemp -p /mnt/private/ > mktemp: failed to create file via template > ‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied > 2.[server side] add testuser into testgroup, which has access to folder > root@kinetic:~$ usermod -aG testgroup testuser && > echo `date +'%s'` > /proc/net/rpc/auth.unix.gid/flush > 3.[client side] create a file again but still fail > testuser@kinetic:~$ mktemp -p /mnt/private/ > mktemp: failed to create file via template > ‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied > > [Where problems could occur] > The fix will apply upstream commits, so the regression can be considered as low. > > Chengen Du (1): > (upstream) NFS: Judge the file access cache's timestamp in rcu path > > Trond Myklebust (2): > (upstream) NFS: Clear the file access cache upon login > (upstream) NFS: Fix up a sparse warning > > fs/nfs/dir.c | 28 ++++++++++++++++++++++++++++ > include/linux/nfs_fs.h | 1 + > 2 files changed, 29 insertions(+) > Acked-by: Tim Gardner <tim.gardner@canonical.com> Patch 1 could have used some backport explanation such as 'simple context adjustment'
Same comments as Bionic thread Acked-by: Luke Nowakowski-Krijger <luke.nowakowskikrijger@canonical.com On Wed, Jan 18, 2023 at 6:58 AM Chengen Du <chengen.du@canonical.com> wrote: > [Impact] > The NFS client's access cache becomes stale due to the user's group > membership changing on the server after the user has already logged in on > the client. > The access cache only expires if either NFS_INO_INVALID_ACCESS flag is on > or timeout (without delegation). > Adding a user to a group in the NFS server will not cause any file > attributes to change. > The client will encounter permission errors until other file attributes > are changed or the memory cache is dropped. > > [Fix] > The access cache shall be cleared once the user logs out and logs back in > again. > > 0eb43812c0270ee3d005ff32f91f7d0a6c4943af NFS: Clear the file access cache > upon login > 029085b8949f5d269ae2bbd14915407dd0c7f902 NFS: Judge the file access > cache's timestamp in rcu path > 5e9a7b9c2ea18551759833146a181b14835bfe39 NFS: Fix up a sparse warning > > [Test Plan] > 1.[client side] testuser is not part of testgroup > testuser@kinetic:~$ ls -ld /mnt/private/ > drwxrwx--- 2 root testgroup 4096 Nov 24 08:23 /mnt/private/ > testuser@kinetic:~$ mktemp -p /mnt/private/ > mktemp: failed to create file via template > ‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied > 2.[server side] add testuser into testgroup, which has access to folder > root@kinetic:~$ usermod -aG testgroup testuser && > echo `date +'%s'` > /proc/net/rpc/auth.unix.gid/flush > 3.[client side] create a file again but still fail > testuser@kinetic:~$ mktemp -p /mnt/private/ > mktemp: failed to create file via template > ‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied > > [Where problems could occur] > The fix will apply upstream commits, so the regression can be considered > as low. > > Chengen Du (1): > (upstream) NFS: Judge the file access cache's timestamp in rcu path > > Trond Myklebust (2): > (upstream) NFS: Clear the file access cache upon login > (upstream) NFS: Fix up a sparse warning > > fs/nfs/dir.c | 28 ++++++++++++++++++++++++++++ > include/linux/nfs_fs.h | 1 + > 2 files changed, 29 insertions(+) > > -- > 2.34.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team >
On 18.01.23 15:57, Chengen Du wrote: > [Impact] > The NFS client's access cache becomes stale due to the user's group membership changing on the server after the user has already logged in on the client. > The access cache only expires if either NFS_INO_INVALID_ACCESS flag is on or timeout (without delegation). > Adding a user to a group in the NFS server will not cause any file attributes to change. > The client will encounter permission errors until other file attributes are changed or the memory cache is dropped. > > [Fix] > The access cache shall be cleared once the user logs out and logs back in again. > > 0eb43812c0270ee3d005ff32f91f7d0a6c4943af NFS: Clear the file access cache upon login > 029085b8949f5d269ae2bbd14915407dd0c7f902 NFS: Judge the file access cache's timestamp in rcu path > 5e9a7b9c2ea18551759833146a181b14835bfe39 NFS: Fix up a sparse warning > > [Test Plan] > 1.[client side] testuser is not part of testgroup > testuser@kinetic:~$ ls -ld /mnt/private/ > drwxrwx--- 2 root testgroup 4096 Nov 24 08:23 /mnt/private/ > testuser@kinetic:~$ mktemp -p /mnt/private/ > mktemp: failed to create file via template > ‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied > 2.[server side] add testuser into testgroup, which has access to folder > root@kinetic:~$ usermod -aG testgroup testuser && > echo `date +'%s'` > /proc/net/rpc/auth.unix.gid/flush > 3.[client side] create a file again but still fail > testuser@kinetic:~$ mktemp -p /mnt/private/ > mktemp: failed to create file via template > ‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied > > [Where problems could occur] > The fix will apply upstream commits, so the regression can be considered as low. > > Chengen Du (1): > (upstream) NFS: Judge the file access cache's timestamp in rcu path > > Trond Myklebust (2): > (upstream) NFS: Clear the file access cache upon login > (upstream) NFS: Fix up a sparse warning > > fs/nfs/dir.c | 28 ++++++++++++++++++++++++++++ > include/linux/nfs_fs.h | 1 + > 2 files changed, 29 insertions(+) > Applied to jammy:linux/master-next. Thanks. -Stefan