[LU-9145] When Shared Key feature is active, Nodemap admin property allows more access - Whamcloud Community JIRA

Details

Type: Bug
Resolution: Fixed
Priority: Minor
Fix Version/s: Lustre 2.11.0, Lustre 2.10.4
Affects Version/s: Lustre 2.9.0
Labels:
- patch

Severity:
4
Rank (Obsolete):
9223372036854775807

Description

When the Shared Key feature of Lustre is active, and the Nodemap "admin" property for a nodemap is set to 0, Lustre does not restrict access to that nodemap as it normally would without Shared Key. Examples of this issue occurring can be found in tests 17, 18, and 20-23 of sanity-sec in the testing framework of the following run:
https://testing.hpdd.intel.com/test_sets/36d7440a-f84f-11e6-887f-5254006e85c2

This may be replicated on a system with Shared Key and Nodemap features enabled, by setting all nodemap admin and trusted properties to 0. Under these conditions, the system does not fully limit root access.

The error returned by the test framework is:
sanity-sec test_17: @@@@@@ FAIL: test trusted_noadmin:0:c0:0:000, wanted 0 0, got 1 1

The "0 0" desired by this test is the output of do_create_delete() from the sanity-sec.sh suite in the testing framework. This function attempts to touch, and then remove, a file. Since it should not be able to do either, the test fails since both operations are permitted. Other tests of the same nature fail for similar reasons.

Attachments

Issue Links

is related to

LU-13172 nodemap: a squashed primary GID allows user to successfully use chgrp to any unmapped group

Open

is related to

LU-9795 SSK test failures in many suites when SHARED_KEY is enabled

Reopened

Activity

[LU-9145] When Shared Key feature is active, Nodemap admin property allows more access

Andreas Dilger added a comment - 27/Aug/19 12:00 AM

No tests are currently reported as skipped because of this ticket.

Andreas Dilger added a comment - 27/Aug/19 12:00 AM No tests are currently reported as skipped because of this ticket.

Gerrit Updater added a comment - 26/Feb/18 6:43 PM

John L. Hammond (john.hammond@intel.com) merged in patch https://review.whamcloud.com/30812/
Subject: ~~LU-9145~~ nodemap: new_init_ucred doesn't do nodemapping
Project: fs/lustre-release
Branch: b2_10
Current Patch Set:
Commit: 51eaf0d07e84cc86a1d4469f293060da53c351d5

Gerrit Updater added a comment - 26/Feb/18 6:43 PM John L. Hammond (john.hammond@intel.com) merged in patch https://review.whamcloud.com/30812/ Subject: LU-9145 nodemap: new_init_ucred doesn't do nodemapping Project: fs/lustre-release Branch: b2_10 Current Patch Set: Commit: 51eaf0d07e84cc86a1d4469f293060da53c351d5

Gerrit Updater added a comment - 09/Jan/18 8:42 PM

Minh Diep (minh.diep@intel.com) uploaded a new patch: https://review.whamcloud.com/30812
Subject: ~~LU-9145~~ nodemap: new_init_ucred doesn't do nodemapping
Project: fs/lustre-release
Branch: b2_10
Current Patch Set: 1
Commit: 5e5a69890e27963c2e2556e59b2984df254c3e2c

Gerrit Updater added a comment - 09/Jan/18 8:42 PM Minh Diep (minh.diep@intel.com) uploaded a new patch: https://review.whamcloud.com/30812 Subject: LU-9145 nodemap: new_init_ucred doesn't do nodemapping Project: fs/lustre-release Branch: b2_10 Current Patch Set: 1 Commit: 5e5a69890e27963c2e2556e59b2984df254c3e2c

Minh Diep added a comment - 09/Jan/18 3:50 PM

Landed for 2.11

Minh Diep added a comment - 09/Jan/18 3:50 PM Landed for 2.11

Gerrit Updater added a comment - 09/Jan/18 5:35 AM

Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/26624/
Subject: ~~LU-9145~~ nodemap: new_init_ucred doesn't do nodemapping
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 37db778f48f952747575e323cb341ed663852fff

Gerrit Updater added a comment - 09/Jan/18 5:35 AM Oleg Drokin (oleg.drokin@intel.com) merged in patch https://review.whamcloud.com/26624/ Subject: LU-9145 nodemap: new_init_ucred doesn't do nodemapping Project: fs/lustre-release Branch: master Current Patch Set: Commit: 37db778f48f952747575e323cb341ed663852fff

Gerrit Updater added a comment - 14/Apr/17 4:12 PM

Kit Westneat (kit.westneat@gmail.com) uploaded a new patch: https://review.whamcloud.com/26624
Subject: ~~LU-9145~~ nodemap: new_init_ucred doesn't do nodemapping
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: a17498dfd8a618964215974c028944d29c95f8be

Gerrit Updater added a comment - 14/Apr/17 4:12 PM Kit Westneat (kit.westneat@gmail.com) uploaded a new patch: https://review.whamcloud.com/26624 Subject: LU-9145 nodemap: new_init_ucred doesn't do nodemapping Project: fs/lustre-release Branch: master Current Patch Set: 1 Commit: a17498dfd8a618964215974c028944d29c95f8be

Chris Hanna (Inactive) added a comment - 10/Mar/17 1:43 PM

Hi Andreas,

Kit mentioned he may take a look at this next week. Kerberos is affected in the same manner as SSK.

Chris Hanna (Inactive) added a comment - 10/Mar/17 1:43 PM Hi Andreas, Kit mentioned he may take a look at this next week. Kerberos is affected in the same manner as SSK.

Andreas Dilger added a comment - 01/Mar/17 6:25 PM

Chris, are Kit or Jeremy still available to work on this?

Andreas Dilger added a comment - 01/Mar/17 6:25 PM Chris, are Kit or Jeremy still available to work on this?

People

Assignee:: Kit Westneat (Inactive)

Reporter:: Chris Hanna (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Created:: 22/Feb/17 7:39 PM

Updated:: 15/Dec/21 2:35 AM

Resolved:: 09/Jan/18 3:50 PM