csi-driver-smb icon indicating copy to clipboard operation
csi-driver-smb copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-csi

Forcegid doesn't seem to work

Open superbspeed opened this issue 1 year ago • 1 comments

What happened:

Access to the SMB share is not restricted per gid:

[admin@mgmt01 fsx]$ k exec -it smb-test -n dev -- bash
groups: cannot find name for group ID 1114200513
groups: cannot find name for group ID 1114304631
I have no name!@smb-test:/$ id
uid=1114301531 gid=1114200513 groups=1114200513,1114304631
I have no name!@smb-test:/$ cd /ClincPharm/
I have no name!@smb-test:/ClincPharm$ ls -la
total 0
drwxrwx--- 2 root 1114304632  0 Oct  2 19:36 .
drwxr-xr-x 1 root root       47 Oct 17 10:25 ..
drwxrwx--- 2 root 1114304632  0 Oct  2 19:34 Restricted
I have no name!@smb-test:/ClincPharm$ cd Restricted/
I have no name!@smb-test:/ClincPharm/Restricted$ touch file.txt
I have no name!@smb-test:/ClincPharm/Restricted$ ls -la
total 0
drwxrwx--- 2 root 1114304632 0 Oct 17 10:38 .
drwxrwx--- 2 root 1114304632 0 Oct  2 19:36 ..
-rwxrwx--- 1 root 1114304632 0 Oct 17 10:38 file.txt

What you expected to happen: Mount options gid and forcegid to work by restricting access only to users in the gid. In this case the user should have been denied access to the share.

How to reproduce it:

apiVersion: v1
kind: PersistentVolume
metadata:
  annotations:
    pv.kubernetes.io/provisioned-by: smb.csi.k8s.io
  name: pv-smb-bu-clinpharm
spec:
  capacity:
    storage: 100Gi
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  storageClassName: smb
  mountOptions:
    - dir_mode=0770
    - file_mode=0770
    - gid=1114304632
    - forcegid
    - noperm
    - mfsymlinks
    - cache=strict
    - noserverino  
  csi:
    driver: smb.csi.k8s.io
    volumeHandle: datastore.mydomain.com/BU/ClincPharm
    volumeAttributes:
      source: //datastore.mydomain.com/BU/ClincPharm
    nodeStageSecretRef:
      name: smbcreds
      namespace: default
	  
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: fsx-windows-clinpharm
  namespace: dev
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 100Gi
  volumeName: pv-smb-bu-clinpharm
  storageClassName: smb

---
apiVersion: v1
kind: Pod
metadata:
  name: smb-test
  namespace: dev
spec:
  securityContext:
    runAsUser: 1114301531
    runAsGroup: 1114200513
    supplementalGroups:
    - 1114304631
  volumes:
  - name: clinph
    persistentVolumeClaim:
      claimName: fsx-windows-clinpharm
  containers:
    - name: example-container
      image: ubuntu:jammy
      command: ["sleep"]
      args: ["1000"]
      volumeMounts:
      - name: clinph
        mountPath: /ClincPharm
  restartPolicy: Always

Anything else we need to know?: The share itself is restricted to the group and the account used in PV (smbcreds) is a member of the group.

Environment:

  • CSI Driver version: v1.16.0
  • Kubernetes version: v1.26
  • OS (pod): Ubuntu 22.04
  • Kernel (pod): 5.10.225-213.878.amzn2.x86_64
  • Others: Running on AWS EKS

superbspeed avatar Oct 17 '24 11:10 superbspeed