LinuxLists.cc - NFS client permission error after changing the user's group in the server

2022-11-24 14:03:01

Subject: NFS client permission error after changing the user's group in the server

Hi all,

I am a newbie starting to contribute upstream.
Recently I encountered an issue that is reproducible by the following steps:

1.[client side] mount NFS
testuser@kinetic# sudo mount -o vers=4.2,sec=sys,lookupcache=none
<-NFS server IP->:/srv/nfs /mnt
2.[client side] clear cache to make environment simple
testuser@kinetic# sudo tee /proc/sys/vm/drop_caches <<< 2
3.[client side] testuser is not part of testgroup, so failing to
create a file is expected
testuser@kinetic:~$ ls -ld /mnt/private/
drwxrwx--- 2 root testgroup 4096 Nov 24 08:23 /mnt/private/
testuser@kinetic:~$ mktemp -p /mnt/private/
mktemp: failed to create file via template
‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied
4.[server side] add testuser into testgroup, which has access to
'private' folder
root@kinetic:~$ usermod -aG testgroup testuser && echo `date +'%s'` >
/proc/net/rpc/auth.unix.gid/flush
5.[client side] create a file again but fail
testuser@kinetic:~$ mktemp -p /mnt/private/
mktemp: failed to create file via template
‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied
6.[client side] clear cache and create a file again
testuser@kinetic# sudo tee /proc/sys/vm/drop_caches <<< 2
testuser@kinetic:~$ mktemp -p /mnt/private/
/mnt/private/tmp.J6PTDV6S4V

I analyzed and found out the root cause is nfs_access_get_cached() in
nfs_do_access().
The access cache only expires if either NFS_INO_INVALID_ACCESS is on
or timeout (without delegation).
Adding a user to a group in the NFS server will not cause any
attributes to change.

The behavior of changing the user's group may not happen frequently,
so removing the cache may not be a proper choice.
IMHO, we could add an attribute in struct nfs_fattr to pass mask from
the NFS server.
The NFS_INO_INVALID_ACCESS can be set once we find out the mask has
changed while revalidating dentry,
then the cache will be cleared and get the correct mask from the NFS
server in nfs_do_access().

Please help confirm the approach and kindly point out if there is
anything I have not considered.
It will be my pleasure to contribute to this issue.
Any comments and suggestions are welcome!

Best regards,
Chengen, Du