Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-4703

setxattr(2) will succeed by a non root user, against a file the user doesn't own.

    XMLWordPrintable

Details

    • 3
    • 12938

    Description

      [root@localhost ~]# mount -t lustre 192.168.122.225@tcp:/testfs /mnt/
      [root@localhost ~]# ll /mnt/
      total 8
      drwxr-xr-x 2 dyl900 users 4096 Mar 4 16:08 dyl900
      drwxr-xr-x 2 mxa900 users 4096 Mar 4 16:08 mxa900
      [root@localhost ~]# su - dyl900
      [dyl900@localhost ~]$ cd /mnt/
      [dyl900@localhost mnt]$ getfacl ./mxa900

      1. file: mxa900/
      2. owner: mxa900
      3. group: users
        user::rwx
        group::r-x
        other::r-x

      [dyl900@localhost mnt]$ setfacl -m u:dyl900:rwx ./mxa900
      [dyl900@localhost mnt]$ getfacl ./mxa900

      1. file: mxa900/
      2. owner: mxa900
      3. group: users
        user::rwx
        user:dyl900:rwx
        group::r-x
        mask::rwx
        other::r-x

      On our production system, this allows a user access other users' files...

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. LU-4704 Permission checking is missing when setfacl

          • Blocker - Blocks development and/or testing work, production could not run.
          • Resolved
          is related to

          Bug - A problem which impairs or prevents the functions of the product. LU-4704 Permission checking is missing when setfacl

          • Blocker - Blocks development and/or testing work, production could not run.
          • Resolved

          Activity

            People

              utopiabound Nathaniel Clark
              lidongyang Li Dongyang (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: