NSFS | add configuration flag to enable dinamic supplemental groups a…

…llocation Signed-off-by: nadav mizrahi <[email protected]>
noobaa · Feb 5, 2025 · c44db7a · c44db7a
1 parent 3fc59d6
commit c44db7a
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 3 deletions.
diff --git a/config.js b/config.js
@@ -822,6 +822,8 @@ config.NSFS_UPDATE_ISSUES_REPORT_ENABLED = true;
 config.NSFS_EXIT_EVENTS_TIME_FRAME_MIN = 24 * 60; // per day
 config.NSFS_MAX_EXIT_EVENTS_PER_TIME_FRAME = 10; // allow max 10 failed forks per day
 
+process.env.NSFS_ENABLE_DINAMIC_SUPPLEMENTAL_GROUPS = 'true';
+
 config.NSFS_GLACIER_LOGS_DIR = '/var/run/noobaa-nsfs/wal';
 config.NSFS_GLACIER_LOGS_POLL_INTERVAL = 10 * 1000;
 
@@ -1154,7 +1156,7 @@ function load_nsfs_nc_config() {
         const merged_config = _.merge(shared_config, node_config || {});
 
         Object.keys(merged_config).forEach(function(key) {
-            const config_to_env = ['NOOBAA_LOG_LEVEL', 'UV_THREADPOOL_SIZE', 'GPFS_DL_PATH'];
+            const config_to_env = ['NOOBAA_LOG_LEVEL', 'UV_THREADPOOL_SIZE', 'GPFS_DL_PATH', 'NSFS_ENABLE_DINAMIC_SUPPLEMENTAL_GROUPS'];
             if (config_to_env.includes(key)) {
                 process.env[key] = merged_config[key];
                 return;

diff --git a/src/native/util/os_darwin.cpp b/src/native/util/os_darwin.cpp
@@ -80,7 +80,8 @@ static void
 set_supplemental_groups(uid_t uid, gid_t gid, std::vector<gid_t>& groups) {
     //first check if groups were defined in the account configuration
     if (groups.empty()) {
-        if (get_supplemental_groups_by_uid(uid, groups) < 0) {
+        const char* is_enabled = getenv("NSFS_ENABLE_DINAMIC_SUPPLEMENTAL_GROUPS");
+        if ((is_enabled == NULL) || (strcmp(is_enabled, "false") == 0) || get_supplemental_groups_by_uid(uid, groups) < 0) {
             //aready unset by _mac_thread_setugid
             return;
         }

diff --git a/src/native/util/os_linux.cpp b/src/native/util/os_linux.cpp
@@ -65,7 +65,8 @@ static void
 set_supplemental_groups(uid_t uid, std::vector<gid_t>& groups) {
     //first check if groups were defined in the account configuration
     if (groups.empty()) {
-        if (get_supplemental_groups_by_uid(uid, groups) < 0) {
+        const char* is_enabled = getenv("NSFS_ENABLE_DINAMIC_SUPPLEMENTAL_GROUPS");
+        if ((is_enabled == NULL) || (strcmp(is_enabled, "false") == 0) || get_supplemental_groups_by_uid(uid, groups) < 0) {
             //couldn't get supplemental groups dynamically. set it to be an empty set
             MUST_SYS(syscall(SYS_setgroups, 0, NULL));
             return;

diff --git a/src/test/unit_tests/test_nsfs_access.js b/src/test/unit_tests/test_nsfs_access.js
@@ -162,6 +162,17 @@ mocha.describe('new tests check', async function() {
             assert.equal(err.code, 'EACCES');
         }
     });
+
+    mocha.it('NON ROOT 4 with disabled dynamicly suplemental groups - failure', async function() {
+        try {
+            process.env.NSFS_ENABLE_DINAMIC_SUPPLEMENTAL_GROUPS = 'false';
+            const non_root_entries = await nb_native().fs.readdir(NON_ROOT4_FS_CONFIG, full_path_non_root1);
+            assert.fail(`non root 4 has access to a folder with disabled supplemental groups - ${p} ${non_root_entries}`);
+        } catch (err) {
+            assert.equal(err.code, 'EACCES');
+        }
+        process.env.NSFS_ENABLE_DINAMIC_SUPPLEMENTAL_GROUPS = 'true';
+    });
 });