Patrice LUCAS has uploaded this change for review.

View Change

FSAL_VFS : only_one_user mode

Add a "only_one_user" module option in all VFS subfsals
(VFS, LUSTRE, XFS and PANFS).

This option allows to prevent ganesha VFS FSALs to call setuid and
setgid when there are running in user mode and dedicated to only
one user. This allows ganesha VFS FSAL to be run in user mode
dedicated to only one user without setting the cap_setuid and
cap_setgid on the ganesha server binary.

This option is dedicated to run the ganesha FSAL only with the
starting UID and GID (user or root). The default of this option is
false. If "only_one_user" is set to true, we disable use of setuid
and setgid to deal with credential. Instead, all incoming requests
with uid or gid different from the one the fsal is running on are
rejected with EPERM error code.

Change-Id: Ib4b2bbd7c622b58726b20d54a4933d1fe7238ca8
Signed-off-by: Patrice LUCAS <patrice.lucas@cea.fr>
---
M src/FSAL/FSAL_VFS/CMakeLists.txt
M src/FSAL/FSAL_VFS/export.c
M src/FSAL/FSAL_VFS/file.c
M src/FSAL/FSAL_VFS/handle.c
M src/FSAL/FSAL_VFS/panfs/main.c
M src/FSAL/FSAL_VFS/vfs/main-c.in.cmake
M src/FSAL/FSAL_VFS/vfs_methods.h
M src/FSAL/FSAL_VFS/xfs/main.c
M src/FSAL/access_check.c
M src/include/FSAL/access_check.h
10 files changed, 272 insertions(+), 147 deletions(-)

git pull ssh://review.gerrithub.io:29418/ffilz/nfs-ganesha refs/changes/96/415396/1

To view, visit change 415396. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-Project: ffilz/nfs-ganesha
Gerrit-Branch: next
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ib4b2bbd7c622b58726b20d54a4933d1fe7238ca8
Gerrit-Change-Number: 415396
Gerrit-PatchSet: 1
Gerrit-Owner: Patrice LUCAS <patrice.lucas@cea.fr>