rick says:

The following bug was just identified in OpenBSD and it looks like the same
bug exists in the other BSDen NFS servers.

A Linux client (don't know which version, but you can look at
	http://bugzilla.kernel.org/show_bug.cgi?id=6256)
does a Setattr of mtime to the server's time, where the file is mode 0664 and
the client user has group access (ie. caller is not the file owner).

The BSD servers fail the Setattr with EPERM, since the VA_UTIMES_NULL flag
isn't set before doing the VOP_SETATTR.

It seems to me that this should be allowed, since it is allowed for a local
utimes(2). If so, the fix is to set VA_UTIMES_NULL for the
"set-time-to-server-time" cases of setting atime and/or mtime.

Submitted by:	rick@snowhite.cis.uoguelph.ca
Reviewed by:	cel
Approved by:	silby
MFC after:	1 week

sys/nfsserver/nfs_srvsubs.c

@@ -1399,6 +1399,7 @@ int
 nfsm_srvsattr_xx(struct vattr *a, struct mbuf **md, caddr_t *dpos)
 {
 	u_int32_t *tl;
+	int toclient = 0;
 
 	NFSD_LOCK_DONTCARE();
 
@@ -1447,9 +1448,11 @@ nfsm_srvsattr_xx(struct vattr *a, struct mbuf **md, caddr_t *dpos)
 		if (tl == NULL)
 			return EBADRPC;
 		fxdr_nfsv3time(tl, &(a)->va_atime);
+		toclient = 1;
 		break;
 	case NFSV3SATTRTIME_TOSERVER:
 		getnanotime(&(a)->va_atime);
+		a->va_vaflags |= VA_UTIMES_NULL;
 		break;
 	}
 	tl = nfsm_dissect_xx_nonblock(NFSX_UNSIGNED, md, dpos);
@@ -1461,9 +1464,12 @@ nfsm_srvsattr_xx(struct vattr *a, struct mbuf **md, caddr_t *dpos)
 		if (tl == NULL)
 			return EBADRPC;
 		fxdr_nfsv3time(tl, &(a)->va_mtime);
+		a->va_vaflags &= ~VA_UTIMES_NULL;
 		break;
 	case NFSV3SATTRTIME_TOSERVER:
 		getnanotime(&(a)->va_mtime);
+		if (toclient == 0)
+			a->va_vaflags |= VA_UTIMES_NULL;
 		break;
 	}
 	return 0;