https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 https://jira.whamcloud.com/browse/LU-4704 Lustre <p>Setxattr does not check the permission when setting ACL xattrs. This<br/> will cause security problem because any user can walk around permission<br/> checking by changing ACL rules.</p> <p>Following script will reproduce this problem.<br/> #!/bin/bash<br/> DIR=/mnt/lustre/dir</p> <ol> <li>we can got this from Lustre/test<br/> RUNAS=./runas<br/> rmdir $DIR <br/> if [ -e $DIR ]; then<br/> echo "Please remove $DIR" <br/> exit 1<br/> fi</li> </ol> <p>mkdir $DIR<br/> if [ ! -d $DIR ]; then<br/> echo "Faled to mkdir $DIR" <br/> exit 1<br/> fi</p> <p>chmod 700 $DIR</p> <p>$RUNAS -u test ls $DIR<br/> if [ $? -eq 0 ]; then<br/> echo "Permission error" <br/> exit 1<br/> fi</p> <p>$RUNAS -u test setfacl -m u:test:rwx $DIR<br/> if [ $? -ne 0 ]; then<br/> echo "Probelm not reproduced because setfacl failed" <br/> exit 1<br/> fi</p> <p>echo "Probelm reproduced!!" </p> <p>$RUNAS -u test ls $DIR<br/> if [ $? -ne 0 ]; then<br/> echo "ACL does not work!" <br/> exit 1<br/> fi</p> <p>echo "Security problem!!" </p> LU-4704

Permission checking is missing when setfacl

Bug Blocker Resolved Duplicate Emoly Liu Li Xi patch Tue, 4 Mar 2014 08:54:22 +0000 Fri, 30 May 2014 14:52:53 +0000 Wed, 5 Mar 2014 18:33:45 +0000 Lustre 2.6.0 Lustre 2.6.0 Lustre 2.5.1 Lustre 2.4.3 0 13 <p>Please check this patch.<br/> <a href="http://review.whamcloud.com/#/c/9473/" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/#/c/9473/</a></p> <p>(This one is for ll_setxattr_common().)</p> <p>Emoly</p> <p>Could you please look after this patch?</p> <p>Thanks</p> <p>Peter</p> <p>Emoly, I also see that acl/974.test and acl/2561.test are not included in the lustre/tests/Makefile.am nobase_noinst_DATA list, and those tests are being skipped. Could you please make a separate patch to add them to the list so they are in the RPM, and fix the test to fail if the test scripts are missing. </p> <p>backport to b2_5:<br/> <a href="http://review.whamcloud.com/9514" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/9514</a></p> <p>The patch to enable acl/974.test and acl/2561.test is here: <a href="http://review.whamcloud.com/9541" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/9541</a></p> <p>backport to b2_4:<br/> <a href="http://review.whamcloud.com/9559" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/9559</a></p> <p>backport sanity/103 (<a href="http://review.whamcloud.com/9541" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/9541</a>) tests to b2_5:<br/> <a href="http://review.whamcloud.com/10512" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/10512</a></p> Duplicate LU-4703 Related LU-4703 Development Rank 1|hzwgon: Rank (Obsolete) 12939 Severity