From owner-freebsd-bugs@FreeBSD.ORG  Mon Jan  7 13:10:00 2013
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id BAB746D5
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Mon,  7 Jan 2013 13:10:00 +0000 (UTC)
 (envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 by mx1.freebsd.org (Postfix) with ESMTP id 9EE0C91B
 for <freebsd-bugs@smarthost.ysv.freebsd.org>;
 Mon,  7 Jan 2013 13:10:00 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r07DA07D012739
 for <freebsd-bugs@freefall.freebsd.org>; Mon, 7 Jan 2013 13:10:00 GMT
 (envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
 by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r07DA0JI012738;
 Mon, 7 Jan 2013 13:10:00 GMT (envelope-from gnats)
Resent-Date: Mon, 7 Jan 2013 13:10:00 GMT
Resent-Message-Id: <201301071310.r07DA0JI012738@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
 Sandra <littlesandra88@gmail.com>
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id 3EA055A7
 for <freebsd-gnats-submit@FreeBSD.org>; Mon,  7 Jan 2013 13:04:06 +0000 (UTC)
 (envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
 by mx1.freebsd.org (Postfix) with ESMTP id 1999F8D6
 for <freebsd-gnats-submit@FreeBSD.org>; Mon,  7 Jan 2013 13:04:06 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
 by red.freebsd.org (8.14.5/8.14.5) with ESMTP id r07D45Ph027144
 for <freebsd-gnats-submit@FreeBSD.org>; Mon, 7 Jan 2013 13:04:05 GMT
 (envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
 by red.freebsd.org (8.14.5/8.14.5/Submit) id r07D45wK027143;
 Mon, 7 Jan 2013 13:04:05 GMT (envelope-from nobody)
Message-Id: <201301071304.r07D45wK027143@red.freebsd.org>
Date: Mon, 7 Jan 2013 13:04:05 GMT
From: Sandra <littlesandra88@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Subject: misc/175101: ZFS NFSv4 ACL's allows user without perm to delete and
 update timestamp
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jan 2013 13:10:00 -0000


>Number:         175101
>Category:       misc
>Synopsis:       ZFS NFSv4 ACL's allows user without perm to delete and update timestamp
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jan 07 13:10:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Sandra
>Release:        9
>Organization:
>Environment:
>Description:
In the output below, which is from the script in "How to repeat the problem", it can be seen that user "www" which doesn't own file1 and only have "rx" permissions on /tank/project1/test3 is able to delete /tank/project1/test3/file1 and by doing that updating the timestamp on /tank/project1/test3.

This should not be possible with the given permissions.


#!/usr/local/bin/bash -v

clear

p="/tank/project1"
d="$p/test3"
u="user1"

rm -rf $d
setfacl -b $p

setfacl -m group@::fd:allow $p || exit 1
setfacl -m everyone@::fd:allow $p || exit 1
setfacl -m owner@:rwx:fd:allow $p || exit 1
setfacl -m u:$u:full_set:fd:allow $p || exit 1
setfacl -m u:www:full_set:fd:allow $p || exit 1
getfacl $p
# file: /tank/project1
# owner: root
# group: wheel
          user:www:rwxpDdaARWcCos:fd----:allow
        user:user1:rwxpDdaARWcCos:fd----:allow
            owner@:rwx-----------:fd----:allow
            group@:--------------:fd----:allow
         everyone@:--------------:fd----:allow

su -m $u -c "mkdir $d"
getfacl $d
# file: /tank/project1/test3
# owner: user1
# group: wheel
          user:www:rwxpDdaARWcCos:fd----:allow
        user:user1:rwxpDdaARWcCos:fd----:allow
            owner@:rwx-----------:fd----:allow
            group@:--------------:fd----:allow
         everyone@:--------------:fd----:allow

su -m $u -c "touch $d/file1"

# user1 wants www only to have read access
su -m $u -c "setfacl -m u:www:rx:fd:allow $d || exit 1"
getfacl $d
# file: /tank/project1/test3
# owner: user1
# group: wheel
          user:www:r-x-----------:fd----:allow
          user:www:r-x-----------:fd----:allow
        user:user1:rwxpDdaARWcCos:fd----:allow
            owner@:rwx-----------:fd----:allow
            group@:--------------:fd----:allow
         everyone@:--------------:fd----:allow

# www should be able to read and delete because file1 was created before the ACL
getfacl $d/file1
# file: /tank/project1/test3/file1
# owner: user1
# group: wheel
          user:www:rw-pDdaARWcCos:------:allow
        user:user1:rw-pDdaARWcCos:------:allow
            owner@:rw------------:------:allow
            group@:--------------:------:allow
         everyone@:--------------:------:allow
su -m www -c "touch $d/file2"
touch: /tank/project1/test3/file2: Permission denied
su -m www -c "cat $d/file1"

touch -amct 191212121212 $d
su -m www -c "rm $d/file1"
ls -ld $d
drwx------+ 2 user1  wheel  2 Jan  7 12:25 /tank/project1/test3

>How-To-Repeat:
#!/usr/local/bin/bash -v                                                                                  

clear
p="/tank/project1"
d="$p/test3"
u="user1"

rm -rf $d
setfacl -b $p

setfacl -m group@::fd:allow $p || exit 1
setfacl -m everyone@::fd:allow $p || exit 1
setfacl -m owner@:rwx:fd:allow $p || exit 1
setfacl -m u:$u:full_set:fd:allow $p || exit 1
setfacl -m u:www:full_set:fd:allow $p || exit 1
getfacl $p

su -m $u -c "mkdir $d"
getfacl $d

su -m $u -c "touch $d/file1"

# user1 wants www only to have read access                                                                
su -m $u -c "setfacl -m u:www:rx:fd:allow $d || exit 1"
getfacl $d

# www should not be able to delete file1, as delete have not been granted                                 
# also notice that www's rm updates the timestamp on the parent dir.                                      
# this should not be possible                                                                             
getfacl $d/file1
su -m www -c "touch $d/file2"
su -m www -c "cat $d/file1"

touch -amct 191212121212 $d
su -m www -c "rm $d/file1"
ls -ld $d

>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted: