https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 https://jira.whamcloud.com/browse/LU-4703 Lustre <p><span class="error">&#91;root@localhost ~&#93;</span># mount -t lustre 192.168.122.225@tcp:/testfs /mnt/<br/> <span class="error">&#91;root@localhost ~&#93;</span># ll /mnt/<br/> total 8<br/> drwxr-xr-x 2 dyl900 users 4096 Mar 4 16:08 dyl900<br/> drwxr-xr-x 2 mxa900 users 4096 Mar 4 16:08 mxa900<br/> <span class="error">&#91;root@localhost ~&#93;</span># su - dyl900<br/> <span class="error">&#91;dyl900@localhost ~&#93;</span>$ cd /mnt/<br/> <span class="error">&#91;dyl900@localhost mnt&#93;</span>$ getfacl ./mxa900</p> <ol> <li>file: mxa900/</li> <li>owner: mxa900</li> <li>group: users<br/> user::rwx<br/> group::r-x<br/> other::r-x</li> </ol> <p><span class="error">&#91;dyl900@localhost mnt&#93;</span>$ setfacl -m u:dyl900:rwx ./mxa900<br/> <span class="error">&#91;dyl900@localhost mnt&#93;</span>$ getfacl ./mxa900</p> <ol> <li>file: mxa900/</li> <li>owner: mxa900</li> <li>group: users<br/> user::rwx<br/> user:dyl900:rwx<br/> group::r-x<br/> mask::rwx<br/> other::r-x</li> </ol> <p>On our production system, this allows a user access other users' files...</p> CentOS 6.4 LU-4703

setxattr(2) will succeed by a non root user, against a file the user doesn't own.

Bug Blocker Resolved Fixed Nathaniel Clark Li Dongyang patch Tue, 4 Mar 2014 06:09:30 +0000 Wed, 12 Mar 2014 22:30:59 +0000 Wed, 12 Mar 2014 22:30:59 +0000 Lustre 2.5.0 Lustre 2.6.0 Lustre 2.4.2 Lustre 2.6.0 Lustre 2.5.1 Lustre 2.4.3 0 12 <p>for master: <a href="http://review.whamcloud.com/#/c/9469/" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/#/c/9469/</a></p> <p>(This is the one for mdd_xattr_set().)</p> <p>Looking at this, I think mdd_xattr_sanity_check() could be improved somewhat. Currently it looks like:</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>static int mdd_xattr_sanity_check(const struct lu_env *env, struct mdd_object *obj, const struct lu_attr *attr) { struct lu_ucred *uc = lu_ucred_assert(env); ENTRY; if (mdd_is_immutable(obj) || mdd_is_append(obj)) RETURN(-EPERM); if ((uc-&gt;uc_fsuid != attr-&gt;la_uid) &amp;&amp; !md_capable(uc, CFS_CAP_FOWNER)) RETURN(-EPERM); RETURN(0); } </pre> </div></div> <ol> <li>This might benefit from the explicit xattr classification done in ll_setxattr_common(). That is we could check prefix and reject anything we don't recognize/want to support.</li> <li>Even though the client masks some xattrs like security.capability it would be worthwhile to handle them explicitly here. Setting security.capability should require CAP_SETFCAP. Setting anything other security.* should require CAP_SYS_ADMIN.</li> <li>There are some other rules like for sticky directories that should be considered. Probably mdd_xattr_set_sanity_check() should duplicate most of the logic in xattr_permission().</li> <li>There is also some access policy in mdt_reint_setxattr() that should be looked at and maybe moved.</li> </ol> <p>Patch from <a href="https://jira.whamcloud.com/browse/LU-4704" title="Permission checking is missing when setfacl" class="issue-link" data-issue-key="LU-4704"><del>LU-4704</del></a> <a href="http://review.whamcloud.com/9473" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/9473</a> </p> <p>I just verified that this bug does not exist in any release earlier than 2.4.0. It was added in commit 7b3bfb09, which moved the ACL handling out of the OSD and into the MDD so that ZFS does not have to handle ACL checking itself.</p> <p>for b2_5: <a href="http://review.whamcloud.com/9513" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/9513</a></p> <p>Test for issue <a href="http://review.whamcloud.com/9508" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/9508</a></p> <p>for b2_4: <a href="http://review.whamcloud.com/9558" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/9558</a></p> <p>Note that it should be possible to disable ACL support on ldiskfs MDSes either temporarily or permanently to provide a short-term workaround for this bug. There is no mechanism to disable ACL support on ZFS filesystems at this time.</p> <p>The MDS can be mounted with the "-o noacl" option to disable ACL support temporarily, or by unmounting the MDS, running "<tt>tune2fs -o ^acl /dev/&lt;mdsdev&gt;</tt>" to turn off ACL support in the ldiskfs superblock, and then mount the MDS again.</p> <p>Disabling the ACL can be verified on the client by checking "lctl get_param mdc.*.import | grep connect_flags" and checking whether the "acl" feature is listed (it will normally be second).</p> <p>sanity/102p for b2_5 <a href="http://review.whamcloud.com/9604" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/9604</a></p> <p>Landed for 2.4.3, 2.5.1 and 2.6</p> Duplicate LU-4704 Related LU-4704 Development Rank 1|hzwgof: Rank (Obsolete) 12938 Severity