Details
-
Technical task
-
Resolution: Fixed
-
Blocker
-
Lustre 2.5.0
-
10032
Description
We have two kinds of missing permission checks in HSM. I'll call them "bad" and "less-bad."
Here are the bad ones: By guessing its FID an unprivileged user can archive and restore an arbitrary file, even one which is otherwise inaccessible. An unprivileged user can also cancel running HSM actions on an arbitrary file, and send a remove command.
If write permission for other is set on the file then an unprivileged user can get about 1/2 through HSM release, failing at the call to mo_xattr_set() on the orphan, just before layout_swap.
The less-bad ones involve the rights to perform various HSM operations on a file owned by the user. In this case there is some disagreement about what should be allowed (some discussion on LU-3811).
Some questions: Which less-bad operations should be permitted by default? How should additional permissions be granted? (/proc tunable, setuid() binary, policy tool?) Should explicit restore be treated differently from implicit restore?
I propose that by default all explicit HSM actions require root or CAP_SYS_ADMIN. The next level can be enabled via /proc and allows explicit archive, release, and restore to the file owner.
Attachments
Issue Links
- is related to
-
LU-3811
non-root users cannot archive files, root cannot archive non-root users' files
-
- Closed
-