https://community.netapp.com/t5/Network-and-Storage-Protocols/Setuid-not-working-without-read-access-in-NFSv4/m-p/51910#M4744 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>I'm having issues with setuid/setgid programs after upgrade (move to c-DOT) from NFSv3 to NFSv4 access protocol.</P><P></P><P>Apparently, programs with "setuid/setgid" bit set work as they should only when also "read" permission is set on the executable file. That's different from NFSv3, where setuid bit only without read access on file is enough to execute.</P><P></P><P>I have the same volume mounted once through NFSv3 and once using NFSv4 (parallel NFS):</P><PRE __default_attr="plain" __jive_macro_name="code" class="jive_text_macro jive_macro_code _jivemacro_uid_1408222167959184" jivemacro_uid="_1408222167959184"><P><SPAN style="font-family: 'courier new', courier;">[testuser@edud01sap02 ~]$ mount|grep NFS</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">vssaptest5001:/vssaptest5001_edu_bench1 on /mnt-NFSv3 type nfs (rw,vers=3,addr=10.243.66.50)</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">vssaptest5001:/vssaptest5001_edu_bench1 on /mnt-NFSv4 type nfs (rw,vers=4,minorversion=1,addr=10.243.66.50,clientaddr=10.243.66.62)</SPAN></P></PRE><P></P><P>The access rights:</P><PRE __default_attr="plain" __jive_macro_name="code" class="jive_text_macro jive_macro_code _jivemacro_uid_14082224078676691" jivemacro_uid="_14082224078676691"><P>[testuser@edud01sap02 ~]$ ls -l /mnt-NFSv3/setuidtest</P><P>-r-s--s---. 1 otheruser otheruser 7018 Aug 16 19:31 /mnt-NFSv3/setuidtest</P><P>[testuser@edud01sap02 ~]$ ls -l /mnt-NFSv4/setuidtest</P><P>-r-s--s---. 1 otheruser otheruser 7018 Aug 16 19:31 /mnt-NFSv4/setuidtest</P></PRE><P></P><P>I got "permission denied" error when trying to execute through NFSv4:</P><PRE __default_attr="plain" __jive_macro_name="code" class="jive_text_macro jive_macro_code _jivemacro_uid_14082225087698530" jivemacro_uid="_14082225087698530"><P>[testuser@edud01sap02 ~]$ /mnt-NFSv4/setuidtest</P><P>-bash: /mnt-NFSv4/setuidtest: Permission denied</P></PRE><P></P><P>... while the same file executes correctly through NFSv3:</P><PRE __default_attr="plain" __jive_macro_name="code" class="jive_text_macro jive_macro_code _jivemacro_uid_14082225229195691" jivemacro_uid="_14082225229195691"><P>[testuser@edud01sap02 ~]$ /mnt-NFSv3/setuidtest</P><P>uid=555 euid=666</P><P>gid=555 egid=666</P></PRE><P></P><P>When I set the read access bit for group owner, the program executes also through NFSv4:</P><PRE __default_attr="plain" __jive_macro_name="code" class="jive_text_macro jive_macro_code _jivemacro_uid_14082227252993148" jivemacro_uid="_14082227252993148"><P>[testuser@edud01sap02 ~]$ sudo chmod g+r /mnt-NFSv4/setuidtest</P><P>[testuser@edud01sap02 ~]$ ls -l /mnt-NFSv4/setuidtest</P><P>-r-sr-s---. 1 otheruser otheruser 7018 Aug 16 19:31 /mnt-NFSv4/setuidtest</P><P>[testuser@edud01sap02 ~]$ /mnt-NFSv4/setuidtest</P><P>uid=555 euid=666</P><P>gid=555 egid=666</P></PRE><P></P><P>Is this something what has changed since NFSv3 or do I miss some configuration? This is an 8.2.1 c-DOT system with SetUID option enabled in export-policy:</P><PRE __default_attr="plain" __jive_macro_name="code" class="jive_text_macro jive_macro_code _jivemacro_uid_14082228761049883" jivemacro_uid="_14082228761049883"><P>Honor SetUID Bits in SETATTR: true</P></PRE><P></P><P>This behaviour prevents our systems from executing programs which do have strict access mode validation hardcoded to perform before proceeding with execution. Therefore just adding that "read" permission is not a valid workaround for me.</P><P></P><P>Best regards,</P><P></P><P>Lukas</P></BODY></HTML> Thu, 05 Jun 2025 05:30:24 GMT kukacz123 2025-06-05T05:30:24Z https://community.netapp.com/t5/Network-and-Storage-Protocols/Setuid-not-working-without-read-access-in-NFSv4/m-p/51910#M4744 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>I'm having issues with setuid/setgid programs after upgrade (move to c-DOT) from NFSv3 to NFSv4 access protocol.</P><P></P><P>Apparently, programs with "setuid/setgid" bit set work as they should only when also "read" permission is set on the executable file. That's different from NFSv3, where setuid bit only without read access on file is enough to execute.</P><P></P><P>I have the same volume mounted once through NFSv3 and once using NFSv4 (parallel NFS):</P><PRE __default_attr="plain" __jive_macro_name="code" class="jive_text_macro jive_macro_code _jivemacro_uid_1408222167959184" jivemacro_uid="_1408222167959184"><P><SPAN style="font-family: 'courier new', courier;">[testuser@edud01sap02 ~]$ mount|grep NFS</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">vssaptest5001:/vssaptest5001_edu_bench1 on /mnt-NFSv3 type nfs (rw,vers=3,addr=10.243.66.50)</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">vssaptest5001:/vssaptest5001_edu_bench1 on /mnt-NFSv4 type nfs (rw,vers=4,minorversion=1,addr=10.243.66.50,clientaddr=10.243.66.62)</SPAN></P></PRE><P></P><P>The access rights:</P><PRE __default_attr="plain" __jive_macro_name="code" class="jive_text_macro jive_macro_code _jivemacro_uid_14082224078676691" jivemacro_uid="_14082224078676691"><P>[testuser@edud01sap02 ~]$ ls -l /mnt-NFSv3/setuidtest</P><P>-r-s--s---. 1 otheruser otheruser 7018 Aug 16 19:31 /mnt-NFSv3/setuidtest</P><P>[testuser@edud01sap02 ~]$ ls -l /mnt-NFSv4/setuidtest</P><P>-r-s--s---. 1 otheruser otheruser 7018 Aug 16 19:31 /mnt-NFSv4/setuidtest</P></PRE><P></P><P>I got "permission denied" error when trying to execute through NFSv4:</P><PRE __default_attr="plain" __jive_macro_name="code" class="jive_text_macro jive_macro_code _jivemacro_uid_14082225087698530" jivemacro_uid="_14082225087698530"><P>[testuser@edud01sap02 ~]$ /mnt-NFSv4/setuidtest</P><P>-bash: /mnt-NFSv4/setuidtest: Permission denied</P></PRE><P></P><P>... while the same file executes correctly through NFSv3:</P><PRE __default_attr="plain" __jive_macro_name="code" class="jive_text_macro jive_macro_code _jivemacro_uid_14082225229195691" jivemacro_uid="_14082225229195691"><P>[testuser@edud01sap02 ~]$ /mnt-NFSv3/setuidtest</P><P>uid=555 euid=666</P><P>gid=555 egid=666</P></PRE><P></P><P>When I set the read access bit for group owner, the program executes also through NFSv4:</P><PRE __default_attr="plain" __jive_macro_name="code" class="jive_text_macro jive_macro_code _jivemacro_uid_14082227252993148" jivemacro_uid="_14082227252993148"><P>[testuser@edud01sap02 ~]$ sudo chmod g+r /mnt-NFSv4/setuidtest</P><P>[testuser@edud01sap02 ~]$ ls -l /mnt-NFSv4/setuidtest</P><P>-r-sr-s---. 1 otheruser otheruser 7018 Aug 16 19:31 /mnt-NFSv4/setuidtest</P><P>[testuser@edud01sap02 ~]$ /mnt-NFSv4/setuidtest</P><P>uid=555 euid=666</P><P>gid=555 egid=666</P></PRE><P></P><P>Is this something what has changed since NFSv3 or do I miss some configuration? This is an 8.2.1 c-DOT system with SetUID option enabled in export-policy:</P><PRE __default_attr="plain" __jive_macro_name="code" class="jive_text_macro jive_macro_code _jivemacro_uid_14082228761049883" jivemacro_uid="_14082228761049883"><P>Honor SetUID Bits in SETATTR: true</P></PRE><P></P><P>This behaviour prevents our systems from executing programs which do have strict access mode validation hardcoded to perform before proceeding with execution. Therefore just adding that "read" permission is not a valid workaround for me.</P><P></P><P>Best regards,</P><P></P><P>Lukas</P></BODY></HTML> Thu, 05 Jun 2025 05:30:24 GMT https://community.netapp.com/t5/Network-and-Storage-Protocols/Setuid-not-working-without-read-access-in-NFSv4/m-p/51910#M4744 kukacz123 2025-06-05T05:30:24Z