[LU-4704] Permission checking is missing when setfacl - Whamcloud Community JIRA

Details

Type: Bug
Resolution: Duplicate
Priority: Blocker
Fix Version/s: Lustre 2.6.0, Lustre 2.5.1, Lustre 2.4.3
Affects Version/s: Lustre 2.6.0
Labels:
- patch

Severity:
3
Rank (Obsolete):
12939

Description

Setxattr does not check the permission when setting ACL xattrs. This
will cause security problem because any user can walk around permission
checking by changing ACL rules.

Following script will reproduce this problem.
#!/bin/bash
DIR=/mnt/lustre/dir

we can got this from Lustre/test
RUNAS=./runas
rmdir $DIR
if [ -e $DIR ]; then
echo "Please remove $DIR"
exit 1
fi

mkdir $DIR
if [ ! -d $DIR ]; then
echo "Faled to mkdir $DIR"
exit 1
fi

chmod 700 $DIR

$RUNAS -u test ls $DIR
if [ $? -eq 0 ]; then
echo "Permission error"
exit 1
fi

$RUNAS -u test setfacl -m u:test:rwx $DIR
if [ $? -ne 0 ]; then
echo "Probelm not reproduced because setfacl failed"
exit 1
fi

echo "Probelm reproduced!!"

$RUNAS -u test ls $DIR
if [ $? -ne 0 ]; then
echo "ACL does not work!"
exit 1
fi

echo "Security problem!!"

Attachments

Issue Links

duplicates

LU-4703 setxattr(2) will succeed by a non root user, against a file the user doesn't own.

Resolved

is related to

LU-4703 setxattr(2) will succeed by a non root user, against a file the user doesn't own.

Resolved

Activity

[LU-4704] Permission checking is missing when setfacl

Nathaniel Clark added a comment - 30/May/14 2:52 PM

backport sanity/103 (http://review.whamcloud.com/9541) tests to b2_5:
http://review.whamcloud.com/10512

Nathaniel Clark added a comment - 30/May/14 2:52 PM backport sanity/103 ( http://review.whamcloud.com/9541 ) tests to b2_5: http://review.whamcloud.com/10512

Bob Glossman (Inactive) added a comment - 07/Mar/14 11:23 PM

backport to b2_4:
http://review.whamcloud.com/9559

Bob Glossman (Inactive) added a comment - 07/Mar/14 11:23 PM backport to b2_4: http://review.whamcloud.com/9559

Emoly Liu added a comment - 07/Mar/14 2:58 AM

The patch to enable acl/974.test and acl/2561.test is here: http://review.whamcloud.com/9541

Emoly Liu added a comment - 07/Mar/14 2:58 AM The patch to enable acl/974.test and acl/2561.test is here: http://review.whamcloud.com/9541

Bob Glossman (Inactive) added a comment - 05/Mar/14 9:22 PM

backport to b2_5:
http://review.whamcloud.com/9514

Bob Glossman (Inactive) added a comment - 05/Mar/14 9:22 PM backport to b2_5: http://review.whamcloud.com/9514

Andreas Dilger added a comment - 05/Mar/14 5:01 PM

Emoly, I also see that acl/974.test and acl/2561.test are not included in the lustre/tests/Makefile.am nobase_noinst_DATA list, and those tests are being skipped. Could you please make a separate patch to add them to the list so they are in the RPM, and fix the test to fail if the test scripts are missing.

Andreas Dilger added a comment - 05/Mar/14 5:01 PM Emoly, I also see that acl/974.test and acl/2561.test are not included in the lustre/tests/Makefile.am nobase_noinst_DATA list, and those tests are being skipped. Could you please make a separate patch to add them to the list so they are in the RPM, and fix the test to fail if the test scripts are missing.

Peter Jones added a comment - 04/Mar/14 6:52 PM

Emoly

Could you please look after this patch?

Thanks

Peter

Peter Jones added a comment - 04/Mar/14 6:52 PM Emoly Could you please look after this patch? Thanks Peter

Li Xi (Inactive) added a comment - 04/Mar/14 8:58 AM - edited

Please check this patch.
http://review.whamcloud.com/#/c/9473/

(This one is for ll_setxattr_common().)

Li Xi (Inactive) added a comment - 04/Mar/14 8:58 AM - edited Please check this patch. http://review.whamcloud.com/#/c/9473/ (This one is for ll_setxattr_common().)

People

Assignee:: Emoly Liu

Reporter:: Li Xi (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 13 Start watching this issue

Dates

Created:: 04/Mar/14 8:54 AM

Updated:: 30/May/14 2:52 PM

Resolved:: 05/Mar/14 6:33 PM