NAK: [SRU][Bionic][PATCH 0/4] NFS: client permission error after adding user to permissible group

Tim Gardner tim.gardner at canonical.com
Thu Jan 19 16:04:15 UTC 2023 

On 1/18/23 7:56 AM, Chengen Du wrote:
> [Impact]
> The NFS client's access cache becomes stale due to the user's group membership changing on the server after the user has already logged in on the client.
> The access cache only expires if either NFS_INO_INVALID_ACCESS flag is on or timeout (without delegation).
> Adding a user to a group in the NFS server will not cause any file attributes to change.
> The client will encounter permission errors until other file attributes are changed or the memory cache is dropped.
> 
> [Fix]
> The access cache shall be cleared once the user logs out and logs back in again.
> 
> 0eb43812c0270ee3d005ff32f91f7d0a6c4943af NFS: Clear the file access cache upon login
> 029085b8949f5d269ae2bbd14915407dd0c7f902 NFS: Judge the file access cache's timestamp in rcu path
> 5e9a7b9c2ea18551759833146a181b14835bfe39 NFS: Fix up a sparse warning
> 
> [Test Plan]
> 1.[client side] testuser is not part of testgroup
>    testuser at kinetic:~$ ls -ld /mnt/private/
>    drwxrwx--- 2 root testgroup 4096 Nov 24 08:23 /mnt/private/
>    testuser at kinetic:~$ mktemp -p /mnt/private/
>    mktemp: failed to create file via template
>    ‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied
> 2.[server side] add testuser into testgroup, which has access to folder
>    root at kinetic:~$ usermod -aG testgroup testuser &&
>    echo `date +'%s'` > /proc/net/rpc/auth.unix.gid/flush
> 3.[client side] create a file again but still fail
>    testuser at kinetic:~$ mktemp -p /mnt/private/
>    mktemp: failed to create file via template
>    ‘/mnt/private/tmp.XXXXXXXXXX’: Permission denied
> 
> [Where problems could occur]
> The fix will apply upstream commits, so the regression can be considered as low.
> 
> Chengen Du (1):
>    (upstream) NFS: Judge the file access cache's timestamp in rcu path
> 
> NeilBrown (1):
>    (upstream) cred: add cred_fscmp() for comparing creds.
> 
> Trond Myklebust (2):
>    (upstream) NFS: Clear the file access cache upon login
>    (upstream) NFS: Fix up a sparse warning
> 
>   fs/nfs/dir.c           | 30 +++++++++++++++++++++++
>   include/linux/cred.h   |  1 +
>   include/linux/nfs_fs.h |  1 +
>   kernel/cred.c          | 55 ++++++++++++++++++++++++++++++++++++++++++
>   4 files changed, 87 insertions(+)
> 

I think patches 2 and 3 are deserving of some explanation for how the 
backport was performed. Typically that information is added just below 
the "(backported from ...)" line in the form:

[chengen - some context adjustment. Retrieved current credentials using 
current_cred(). etc...]

-- 
-----------
Tim Gardner
Canonical, Inc

More information about the kernel-team mailing list