Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-20415

Nodemap: Unauthorized user able to stat file after authorized user access with deny_unknown  option set

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • Lustre 2.16.0, Lustre 2.17.0
    • 3
    • 9223372036854775807

       

      When using nodemap with the deny_unknown=1 option enabled, an unauthorized user (not mapped in the nodemap) is able to stat a file after an authorized user has performed a stat operation on the same file. This bypasses the intended access control and represents a potential security vulnerability. The issue is cache dependent and permission is denied again once caches are cleared.

      Nodemap Config:

      [root@MGS ~]# lctl get_param nodemap.TestMap.*
      nodemap.TestMap.admin_nodemap=1
      nodemap.TestMap.audit_mode=1
      nodemap.TestMap.deny_unknown=1
      nodemap.TestMap.exports=
      [
       { nid: 153@gni, uuid: 2d97c328-d2c6-47f2-b6fe-63d2eeb05ad9 },
      ]
      nodemap.TestMap.fileset=
      nodemap.TestMap.forbid_encryption=0
      nodemap.TestMap.id=34
      nodemap.TestMap.idmap=
      [
       { idtype: uid, client_id: 2001, fs_id: 5001 },
       { idtype: uid, client_id: 2002, fs_id: 5002 },
       { idtype: uid, client_id: 2005, fs_id: 5005 },
       { idtype: gid, client_id: 2001, fs_id: 5001 },
       { idtype: gid, client_id: 2002, fs_id: 5002 },
       { idtype: gid, client_id: 2005, fs_id: 5005 }
      ]
      nodemap.TestMap.map_mode=all
      nodemap.TestMap.ranges=
      [
       { id: 66, start_nid: 153@gni, end_nid: 153@gni }
      ]
      nodemap.TestMap.rbac=file_perms,dne_ops,quota_ops,byfid_ops,chlg_ops,fscrypt_admin
      nodemap.TestMap.readonly_mount=0
      nodemap.TestMap.sepol=
      nodemap.TestMap.squash_gid=65796
      nodemap.TestMap.squash_projid=99
      nodemap.TestMap.squash_uid=65796
      nodemap.TestMap.trusted_nodemap=0 

      Authorized Users:

      [root@MGS ~]# cat /etc/lustre/passwd
      localusr00:x:5000:5000:/home/users/localusr00:/sbin/nologin
      localusr01:x:5001:5001:/home/users/localusr01:/sbin/nologin
      localusr02:x:5002:5002:/home/users/localusr02:/sbin/nologin
      nobodyusr:x:5005:5005:/home/users/nobodyusr:/sbin/nologin 

      Upcall:
       

      [root@MGS admin]# pdsh -g mds lctl get_param mdt.*-MDT*.identity_upcall mdt.kjcf08-MDT0000.identity_upcall=/usr/sbin/l_getidentity_nss

      Actual Behavior:

       

      root@153:~ # sync && echo 3 > /proc/sys/vm/drop_caches
      
      root@153:~ # su - localusr03 -c "stat /lus/kjcf08/sanjanas_file"
      stat: cannot stat '/lus/kjcf08/sanjanas_file': Permission denied
      
      root@153:~ # su - localusr03 -c "stat /lus/kjcf08/sanjanas_file"
      stat: cannot stat '/lus/kjcf08/sanjanas_file': Permission denied
      
      root@153:~ # su - localusr01 -c "stat /lus/kjcf08/sanjanas_file"
        File: /lus/kjcf08/sanjanas_file
        Size: 0               Blocks: 2          IO Block: 4194304 regular empty file
      Device: 70143562h/1880372578d   Inode: 144127232439222273  Links: 1
      Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
      Access: 2026-06-22 03:02:54.000000000 -0500
      Modify: 2026-06-22 03:02:54.000000000 -0500
      Change: 2026-06-22 03:02:54.000000000 -0500
       Birth: -
      
      root@153:~ # su - localusr03 -c "stat /lus/kjcf08/sanjanas_file"
        File: /lus/kjcf08/sanjanas_file
        Size: 0               Blocks: 2          IO Block: 4194304 regular empty file
      Device: 70143562h/1880372578d   Inode: 144127232439222273  Links: 1
      Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
      Access: 2026-06-22 03:02:54.000000000 -0500
      Modify: 2026-06-22 03:02:54.000000000 -0500
      Change: 2026-06-22 03:02:54.000000000 -0500
       Birth: -
      
      root@153:~ # sync && echo 3 > /proc/sys/vm/drop_caches
      
      root@153:~ # su - localusr03 -c "stat /lus/kjcf08/sanjanas_file"
      stat: cannot stat '/lus/kjcf08/sanjanas_file': Permission denied
       

      Potential root cause:
      Metadata caching on the client side may not be properly invalidated when deny_unknown is enabled, allowing cached stat information to be accessed by unauthorized users.

       

            wc-triage WC Triage
            pravs Praveen Kumar S
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated: