[#LU-17049] Check supplementary groups for "enable_*

[LU-17049] Check supplementary groups for "enable_*_gid" settings Created: 23/Aug/23 Updated: 24/Aug/23
Status:	Open
Project:	Lustre
Component/s:	None
Affects Version/s:	Lustre 2.16.0, Lustre 2.12.9
Fix Version/s:	None

Type:

Improvement

Priority:

Minor

Reporter:

Andreas Dilger

Assignee:

WC Triage

Resolution:

Unresolved

Votes:

Labels:

easy

Issue Links:

Related

Severity:

Rank (Obsolete):

9223372036854775807

Description

The "mdt.*.enable_remote_dir_gid" parameter is intended to keep advanced functionality out of the hands of users that might abuse them. Typically this is "0" (root only) or "-1" (all users), but it is possible to set a numeric GID to allow sysadmins in a "wheel" or "admin" group to access this functionality on behalf of users.

However, it appears that the code that is checking this parameter is only checking the primary GID of the RPC against the parameter, instead of using "lustre_in_group_p()" to check all of the supplementary groups of the user, if it is not the primary one.

Comments

Comment by Gerrit Updater [ 24/Aug/23 ]

"Andreas Dilger <adilger@whamcloud.com>" uploaded a new patch: https://review.whamcloud.com/c/fs/lustre-release/+/52063
Subject: LU-17049 mdt: check all groups for lfs mkdir
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 14d981f691a4340026e5874582ed2ef75a3cb09d

Generated at Sat Feb 10 03:32:12 UTC 2024 using Jira 9.4.14#940014-sha1:734e6822bbf0d45eff9af51f82432957f73aa32c.

[LU-17049] Check supplementary groups for "enable_*_gid" settings Created: 23/Aug/23 Updated: 24/Aug/23