From owner-freebsd-fs@freebsd.org Sat May 26 09:21:40 2018 Return-Path: Delivered-To: freebsd-fs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A2E43F6EF5A for ; Sat, 26 May 2018 09:21:40 +0000 (UTC) (envelope-from stilezy@gmail.com) Received: from mail-vk0-x233.google.com (mail-vk0-x233.google.com [IPv6:2607:f8b0:400c:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3B73E68DD5 for ; Sat, 26 May 2018 09:21:40 +0000 (UTC) (envelope-from stilezy@gmail.com) Received: by mail-vk0-x233.google.com with SMTP id i190-v6so4494233vkd.13 for ; Sat, 26 May 2018 02:21:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=t6jjlgKHh+CJ80PcHv/OVihGJEh+/Nl9jYaBk98HyJk=; b=mucplzEVPxx9/KDRVtgqjXPzTPyIaH4A9hQDZW6n4FRk550os9HgueqfUbsGJWtE1n tddwXTA10oxvHlmysRwhnVUGl4BAmz9erjMksv1mh+eiT056pHOIxKeGFMDjK3yftB7W B12LTtt45Lt+HEHoctAgyXijz/NW2pUB6mGXW+mYldT3zjSgnYxdr5MBCtJTf4W5XyFQ 1EWKbSLjMA3/vwaV1id1em7bh0aHbgyVJxKw7loUjkzAWDoPUU0low3Dn7jwUyHvoL7C ilBrvvK8QtkQVBtbYgeqZ4p02Abq6DVXn1Yjeq12BZQJrZ/TbQ4aq6ITf36TJ+djj8VL Ynhw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=t6jjlgKHh+CJ80PcHv/OVihGJEh+/Nl9jYaBk98HyJk=; b=qeio8oQtYlTJGiGuduqh4yc1N2GONE/puhWhzoA1eT6+QIGXVz7knnAAdJmtJwXmzP aEMiuoyctpbZ/i+dJ8kBzxelIBOx9dd2QYd0Pvgk2r3OIO7gEabRlH3cT5L0jF++UZIh IJX12nha3Tr336qW66e21qsW93DidCs8mB0HRq4DOA+6GXtPUB5p9x/rAe+iZ5J4ZFjz V4bJC6Gx8NVvBoMmLZUAl2kBB7SYJ1vn6/sg1AmgRhcKynbYQIq/KAUb4mJPow21OX0r //ZvxNkVF28pT7pNFFqPC11qZEL5ckwMo7Pfx1a9q2qv9cJnLsOSSKnR5dPRuDJ5C+aV hnRQ== X-Gm-Message-State: ALKqPwdpIe0bVx9XGN2EIn2zsHT+XY4z5CWgLKbmq/759uSNHL//YrNk jxS/Pu4Zr1TuWeRrTTV36EKNc9KlXFR9n47R+Wx6hw== X-Google-Smtp-Source: ADUXVKLm81lDxfj8Hx8YrWEfNGlStUOgzWNCmsMo1ymAMXyHJXz4Z/kQSljK72jQ5cVl1VsLcwwRW9L3GA/O64okgkY= X-Received: by 2002:a1f:5447:: with SMTP id i68-v6mr3231366vkb.146.1527326499571; Sat, 26 May 2018 02:21:39 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a67:8116:0:0:0:0:0 with HTTP; Sat, 26 May 2018 02:21:09 -0700 (PDT) From: Stilez Stilezy Date: Sat, 26 May 2018 10:21:09 +0100 Message-ID: Subject: Apparent incorrect behaviour in NFSv4 ACL processing in 11.1-REL. Expected/correct behaviour or bug? To: freebsd-fs Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.26 X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 May 2018 09:21:41 -0000 I've managed to get reproducible behaviour on FreeBSD 11.1, showing that in some cases: 1) an NFSv4 ACE that shouldn't affect the access granted to an account, does seem to affect it; and 2) this behaviour can be worked around by giving the account "ra" instead or "r" even though from docs, "a" shouldn't be relevant to the access affected. It looks like a bug to me, but perhaps there's some non-bug explanation for it, or it's my lack of knowledge? Test output follows below. I've interspersed commands/output from two parallel sessions, one (#) privileged, the other (%) unprivileged. Comments are in ALL-CAPS. Any light on what's going on would be appreciated - thanks. Stilez. COMMENT: CHECK MOUNT OPTIONS ARE NORMAL, AND SET UP A CLEAN TEST DIR + CONTENTS # mount | grep testpool testpool on /mnt/testpool (zfs, local, noatime, nfsv4acls) testpool/User_files on /mnt/testpool/User_files (zfs, local, noatime, nfsv4acls) # mkdir /mnt/testpool/test5; mkdir /mnt/testpool/test5/subdir; touch /mnt/testpool/test5/subfile; ls -1F /mnt/testpool/test5 subfile subdir/ COMMENT: CHECK OUR DIR IS READABLE WITH A NEWLY CREATED UNPRIVILEGED ACCOUNT IN ANOTHER SSH WINDOW: % ls /mnt/testpool/test5 subdir subfile COMMENT: QUICKLY SET UP SOME ACLS TO EXHIBIT THE BEHAVIOUR: COMMENT: THESE ACLS SHOULD ALLOW THE UNPRIVILEGED ACCOUNT TO READ THE DIR BUT NOTHING ELSE (AND THEY DO - SO FAR IT'S OK) # setfacl -a 0 everyone@:r::allow,owner@::allow,group@::allow,everyone@::allow /mnt/testpool/test5 ; \ setfacl -x 4 /mnt/testpool/test5; setfacl -x 4 /mnt/testpool/test5; setfacl -x 4 /mnt/testpool/test5; getfacl /mnt/testpool/test5 # file: /mnt/testpool/test5 # owner: root # group: wheel everyone@:r-------------:-------:allow owner@:--------------:-------:allow group@:--------------:-------:allow everyone@:--------------:-------:allow COMMENT: CHECK THAT OUR UNPRIVILEGED ACCOUNT CAN READ THE DIR AS EXPECTED, AND ONLY NEEDS "r" TO DO SO: % ls /mnt/testpool/test5 subdir subfile COMMENT: SO FAR ALL IS OK. COMMENT: NOW ADD A SINGLE ACE THAT SHOULDN'T AFFECT OUR UNPRIVILEGED ACCOUNT AT ALL COMMENT: NOTHING SHOULD HAVE CHANGED FOR OUR UNPRIVILEGED ACCOUNT, BUT IT NOW CANNOT READ THE DIR. # setfacl -a 1 group:nogroup:rwxpDda-R-c---:fd-----:allow /mnt/testpool/test5 ; getfacl /mnt/testpool/test5 # file: /mnt/testpool/test5 # owner: root # group: wheel everyone@:r-------------:-------:allow group:nogroup:rwxpDda-R-c---:fd-----:allow owner@:--------------:-------:allow group@:--------------:-------:allow everyone@:--------------:-------:allow % ls /mnt/testpool/test5 ls: /mnt/testpool/test5: Permission denied COMMENT: LET'S GIVE THE UNPRIVILEGED ACCOUNT 'ra' INSTEAD OF 'r'. COMMENT: WITH "ra" IT CAN READ THE DIR AGAIN: # setfacl -a 0 everyone@:ra::allow /mnt/testpool/test5 ; getfacl /mnt/testpool/test5 # file: /mnt/testpool/test5 # owner: root # group: wheel everyone@:r-----a-------:-------:allow everyone@:r-------------:-------:allow group:nogroup:rwxpDda-R-c---:fd-----:allow owner@:--------------:-------:allow group@:--------------:-------:allow everyone@:--------------:-------:allow % ls /mnt/testpool/test5 subdir subfile COMMENT: CONFIRM THE "a" WAS NECESSARY, BY REMOVING IT. COMMENT: THE UNPRIVILEGED ACCOUNT CAN NOT READ THE DIR WITHOUT "ra": # setfacl -x 0 /mnt/testpool/test5 ; getfacl /mnt/testpool/test5 # file: /mnt/testpool/test5 # owner: root # group: wheel everyone@:r-------------:-------:allow group:nogroup:rwxpDda-R-c---:fd-----:allow owner@:--------------:-------:allow group@:--------------:-------:allow everyone@:--------------:-------:allow % ls /mnt/testpool/test5 ls: /mnt/testpool/test5: Permission denied