Message ID | 20230121142549.37283-1-chengen.du@canonical.com |
---|---|
Headers | show |
Series | NFS: client permission error after adding user to permissible group | expand |
On 1/21/23 7:25 AM, Chengen Du wrote: > [Impact] > The NFS client's access cache becomes stale due to the user's group membership changing on the server after the user has already logged in on the client. > The access cache only expires if either NFS_INO_INVALID_ACCESS flag is on or timeout (without delegation). > Adding a user to a group in the NFS server will not cause any file attributes to change. > The client will encounter permission errors until other file attributes are changed or the memory cache is dropped. > > [Fix] > The access cache shall be cleared once the user logs out and logs back in again. > > 0eb43812c0270ee3d005ff32f91f7d0a6c4943af NFS: Clear the file access cache upon login > 029085b8949f5d269ae2bbd14915407dd0c7f902 NFS: Judge the file access cache's timestamp in rcu path > 5e9a7b9c2ea18551759833146a181b14835bfe39 NFS: Fix up a sparse warning > > [Test Plan] > 1.[client side] testuser is not part of testgroup > testuser@kinetic:~$ ls -ld /mnt/private/ > drwxrwx--- 2 root testgroup 4096 Nov 24 08:23 /mnt/private/ > testuser@kinetic:~$ mktemp -p /mnt/private/ > mktemp: failed to create file via template > ‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied > 2.[server side] add testuser into testgroup, which has access to folder > root@kinetic:~$ usermod -aG testgroup testuser && > echo `date +'%s'` > /proc/net/rpc/auth.unix.gid/flush > 3.[client side] create a file again but still fail > testuser@kinetic:~$ mktemp -p /mnt/private/ > mktemp: failed to create file via template > ‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied > > [Where problems could occur] > The fix will apply upstream commits, so the regression can be considered as low. > > Chengen Du (1): > NFS: Judge the file access cache's timestamp in rcu path > > Trond Myklebust (2): > NFS: Clear the file access cache upon login > NFS: Fix up a sparse warning > > fs/nfs/dir.c | 28 ++++++++++++++++++++++++++++ > include/linux/nfs_fs.h | 1 + > 2 files changed, 29 insertions(+) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Luke Nowakowski-Krijger <luke.nowakowskikrijger@canonical.com> On Sat, Jan 21, 2023 at 6:26 AM Chengen Du <chengen.du@canonical.com> wrote: > [Impact] > The NFS client's access cache becomes stale due to the user's group > membership changing on the server after the user has already logged in on > the client. > The access cache only expires if either NFS_INO_INVALID_ACCESS flag is on > or timeout (without delegation). > Adding a user to a group in the NFS server will not cause any file > attributes to change. > The client will encounter permission errors until other file attributes > are changed or the memory cache is dropped. > > [Fix] > The access cache shall be cleared once the user logs out and logs back in > again. > > 0eb43812c0270ee3d005ff32f91f7d0a6c4943af NFS: Clear the file access cache > upon login > 029085b8949f5d269ae2bbd14915407dd0c7f902 NFS: Judge the file access > cache's timestamp in rcu path > 5e9a7b9c2ea18551759833146a181b14835bfe39 NFS: Fix up a sparse warning > > [Test Plan] > 1.[client side] testuser is not part of testgroup > testuser@kinetic:~$ ls -ld /mnt/private/ > drwxrwx--- 2 root testgroup 4096 Nov 24 08:23 /mnt/private/ > testuser@kinetic:~$ mktemp -p /mnt/private/ > mktemp: failed to create file via template > ‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied > 2.[server side] add testuser into testgroup, which has access to folder > root@kinetic:~$ usermod -aG testgroup testuser && > echo `date +'%s'` > /proc/net/rpc/auth.unix.gid/flush > 3.[client side] create a file again but still fail > testuser@kinetic:~$ mktemp -p /mnt/private/ > mktemp: failed to create file via template > ‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied > > [Where problems could occur] > The fix will apply upstream commits, so the regression can be considered > as low. > > Chengen Du (1): > NFS: Judge the file access cache's timestamp in rcu path > > Trond Myklebust (2): > NFS: Clear the file access cache upon login > NFS: Fix up a sparse warning > > fs/nfs/dir.c | 28 ++++++++++++++++++++++++++++ > include/linux/nfs_fs.h | 1 + > 2 files changed, 29 insertions(+) > > -- > 2.37.2 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team >
On 21.01.23 15:25, Chengen Du wrote: > [Impact] > The NFS client's access cache becomes stale due to the user's group membership changing on the server after the user has already logged in on the client. > The access cache only expires if either NFS_INO_INVALID_ACCESS flag is on or timeout (without delegation). > Adding a user to a group in the NFS server will not cause any file attributes to change. > The client will encounter permission errors until other file attributes are changed or the memory cache is dropped. > > [Fix] > The access cache shall be cleared once the user logs out and logs back in again. > > 0eb43812c0270ee3d005ff32f91f7d0a6c4943af NFS: Clear the file access cache upon login > 029085b8949f5d269ae2bbd14915407dd0c7f902 NFS: Judge the file access cache's timestamp in rcu path > 5e9a7b9c2ea18551759833146a181b14835bfe39 NFS: Fix up a sparse warning > > [Test Plan] > 1.[client side] testuser is not part of testgroup > testuser@kinetic:~$ ls -ld /mnt/private/ > drwxrwx--- 2 root testgroup 4096 Nov 24 08:23 /mnt/private/ > testuser@kinetic:~$ mktemp -p /mnt/private/ > mktemp: failed to create file via template > ‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied > 2.[server side] add testuser into testgroup, which has access to folder > root@kinetic:~$ usermod -aG testgroup testuser && > echo `date +'%s'` > /proc/net/rpc/auth.unix.gid/flush > 3.[client side] create a file again but still fail > testuser@kinetic:~$ mktemp -p /mnt/private/ > mktemp: failed to create file via template > ‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied > > [Where problems could occur] > The fix will apply upstream commits, so the regression can be considered as low. > > Chengen Du (1): > NFS: Judge the file access cache's timestamp in rcu path > > Trond Myklebust (2): > NFS: Clear the file access cache upon login > NFS: Fix up a sparse warning > > fs/nfs/dir.c | 28 ++++++++++++++++++++++++++++ > include/linux/nfs_fs.h | 1 + > 2 files changed, 29 insertions(+) > Applied to kinetic:linux/master-next. Thanks. -Stefan
On Sat, Jan 21, 2023 at 10:25:46PM +0800, Chengen Du wrote: > [Impact] > The NFS client's access cache becomes stale due to the user's group membership changing on the server after the user has already logged in on the client. > The access cache only expires if either NFS_INO_INVALID_ACCESS flag is on or timeout (without delegation). > Adding a user to a group in the NFS server will not cause any file attributes to change. > The client will encounter permission errors until other file attributes are changed or the memory cache is dropped. > > [Fix] > The access cache shall be cleared once the user logs out and logs back in again. > > 0eb43812c0270ee3d005ff32f91f7d0a6c4943af NFS: Clear the file access cache upon login > 029085b8949f5d269ae2bbd14915407dd0c7f902 NFS: Judge the file access cache's timestamp in rcu path > 5e9a7b9c2ea18551759833146a181b14835bfe39 NFS: Fix up a sparse warning > > [Test Plan] > 1.[client side] testuser is not part of testgroup > testuser@kinetic:~$ ls -ld /mnt/private/ > drwxrwx--- 2 root testgroup 4096 Nov 24 08:23 /mnt/private/ > testuser@kinetic:~$ mktemp -p /mnt/private/ > mktemp: failed to create file via template > ‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied > 2.[server side] add testuser into testgroup, which has access to folder > root@kinetic:~$ usermod -aG testgroup testuser && > echo `date +'%s'` > /proc/net/rpc/auth.unix.gid/flush > 3.[client side] create a file again but still fail > testuser@kinetic:~$ mktemp -p /mnt/private/ > mktemp: failed to create file via template > ‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied > > [Where problems could occur] > The fix will apply upstream commits, so the regression can be considered as low. Applied to lunar/linux (linux-unstable already has these patches). Thanks, -Andrea
Hi Andrea, I noticed that the patch does not be applied to kinetic. May I ask if is there any concern? Best regards, Chengen Du On Tue, Jan 31, 2023 at 7:29 AM Andrea Righi <andrea.righi@canonical.com> wrote: > > On Sat, Jan 21, 2023 at 10:25:46PM +0800, Chengen Du wrote: > > [Impact] > > The NFS client's access cache becomes stale due to the user's group membership changing on the server after the user has already logged in on the client. > > The access cache only expires if either NFS_INO_INVALID_ACCESS flag is on or timeout (without delegation). > > Adding a user to a group in the NFS server will not cause any file attributes to change. > > The client will encounter permission errors until other file attributes are changed or the memory cache is dropped. > > > > [Fix] > > The access cache shall be cleared once the user logs out and logs back in again. > > > > 0eb43812c0270ee3d005ff32f91f7d0a6c4943af NFS: Clear the file access cache upon login > > 029085b8949f5d269ae2bbd14915407dd0c7f902 NFS: Judge the file access cache's timestamp in rcu path > > 5e9a7b9c2ea18551759833146a181b14835bfe39 NFS: Fix up a sparse warning > > > > [Test Plan] > > 1.[client side] testuser is not part of testgroup > > testuser@kinetic:~$ ls -ld /mnt/private/ > > drwxrwx--- 2 root testgroup 4096 Nov 24 08:23 /mnt/private/ > > testuser@kinetic:~$ mktemp -p /mnt/private/ > > mktemp: failed to create file via template > > ‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied > > 2.[server side] add testuser into testgroup, which has access to folder > > root@kinetic:~$ usermod -aG testgroup testuser && > > echo `date +'%s'` > /proc/net/rpc/auth.unix.gid/flush > > 3.[client side] create a file again but still fail > > testuser@kinetic:~$ mktemp -p /mnt/private/ > > mktemp: failed to create file via template > > ‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied > > > > [Where problems could occur] > > The fix will apply upstream commits, so the regression can be considered as low. > > Applied to lunar/linux (linux-unstable already has these patches). > > Thanks, > -Andrea
On 07.02.23 11:18, Chengen Du wrote: > Hi Andrea, > > I noticed that the patch does not be applied to kinetic. > May I ask if is there any concern? It IS applied to Kinetic. Separate reply. -Stefan > > Best regards, > Chengen Du > > On Tue, Jan 31, 2023 at 7:29 AM Andrea Righi <andrea.righi@canonical.com> wrote: >> >> On Sat, Jan 21, 2023 at 10:25:46PM +0800, Chengen Du wrote: >>> [Impact] >>> The NFS client's access cache becomes stale due to the user's group membership changing on the server after the user has already logged in on the client. >>> The access cache only expires if either NFS_INO_INVALID_ACCESS flag is on or timeout (without delegation). >>> Adding a user to a group in the NFS server will not cause any file attributes to change. >>> The client will encounter permission errors until other file attributes are changed or the memory cache is dropped. >>> >>> [Fix] >>> The access cache shall be cleared once the user logs out and logs back in again. >>> >>> 0eb43812c0270ee3d005ff32f91f7d0a6c4943af NFS: Clear the file access cache upon login >>> 029085b8949f5d269ae2bbd14915407dd0c7f902 NFS: Judge the file access cache's timestamp in rcu path >>> 5e9a7b9c2ea18551759833146a181b14835bfe39 NFS: Fix up a sparse warning >>> >>> [Test Plan] >>> 1.[client side] testuser is not part of testgroup >>> testuser@kinetic:~$ ls -ld /mnt/private/ >>> drwxrwx--- 2 root testgroup 4096 Nov 24 08:23 /mnt/private/ >>> testuser@kinetic:~$ mktemp -p /mnt/private/ >>> mktemp: failed to create file via template >>> ‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied >>> 2.[server side] add testuser into testgroup, which has access to folder >>> root@kinetic:~$ usermod -aG testgroup testuser && >>> echo `date +'%s'` > /proc/net/rpc/auth.unix.gid/flush >>> 3.[client side] create a file again but still fail >>> testuser@kinetic:~$ mktemp -p /mnt/private/ >>> mktemp: failed to create file via template >>> ‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied >>> >>> [Where problems could occur] >>> The fix will apply upstream commits, so the regression can be considered as low. >> >> Applied to lunar/linux (linux-unstable already has these patches). >> >> Thanks, >> -Andrea >