Date: Thu, 27 Feb 2020 22:03:20 +0100 From: Peter Eriksson <pen@lysator.liu.se> To: FreeBSD Filesystems <freebsd-fs@freebsd.org> Subject: Re: Linux could write to read only files on FreeBSD NFS server Message-ID: <707243CD-C67E-4DAD-AC5A-68EC11CFFDFD@lysator.liu.se> In-Reply-To: <CAHJqQjuEVpL4xV1dAf6scFqFfMNm1gY3jOaO64ZQJTCQi_qzcQ@mail.gmail.com> References: <CAHJqQjuEVpL4xV1dAf6scFqFfMNm1gY3jOaO64ZQJTCQi_qzcQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I can verify that this indeed seems to be the case - the file owner can = always write to files, no matter the permissions set. Tested both locally (on ZFS) and over NFS (from the same directory). - Peter > $ touch x > $ getfacl x > # file: x > # owner: peter86 > # group: employee-liu.se > user::rw- > group::r-- > other::r-- >=20 > $ acltool list-access x > # file: x > # owner: peter86 > # group: employee-liu.se > owner@:rw-p--aARWcCos:-------:allow > group@:r-----a-R-c--s:-------:allow > everyone@:r-----a-R-c--s:=E2=80=94=E2=80=94=E2=80=94:allow= >=20 > $ chmod -w x > $ getfacl x > # file: x > # owner: peter86 > # group: employee-liu.se > user::r-- > group::r-- > other::r-- >=20 > $ acltool list-access x > # file: x > # owner: peter86 > # group: employee-liu.se > owner@:r-----aARWcCos:-------:allow > group@:r-----a-R-c--s:-------:allow > everyone@:r-----a-R-c--s:-------:allow >=20 > $ echo aaa >>x >=20 > $ cat x > aaa Not even a =E2=80=9Cdeny=E2=80=9D ACL stops writing :-). I does stop me = from reading the file contents afterwards though :-) > $ acltool edit owner@:ALL::deny x > $ acltool lac x > # file: x > # owner: peter86 > # group: employee-liu.se > owner@:rwxpd-aARWcCos:-------:deny > owner@:r-----a-R-cC-s:-------:allow > group@:r-----a-R-c--s:-------:allow > everyone@:r-----a-R-c--s:-------:allow > $ echo foo >>x > $ cat x > cat: x: Permission denied > $ acltool edit -- -owner@:ALL::deny x > $ acltool lac x > # file: x > # owner: peter86 > # group: employee-liu.se > owner@:r-----a-R-cC-s:-------:allow > group@:r-----a-R-c--s:-------:allow > everyone@:r-----a-R-c--s:-------:allow > $ cat x > aaa > foo Btw =E2=80=9Cacltool" is a small tool I=E2=80=99ve been creating because = I find the current crop of NFSv4/ZFS-ACL handling tools a bit=E2=80=A6 = =E2=80=9Clacking=E2=80=9D.=20 The current =E2=80=9CWork-in-progress=E2=80=9D can be downloaded from https://github.com/ptrrkssn/acltool Compiles and works on FreeBSD, Solaris & Linux (only over NFSv4 for = Linux) sadly. No POSIX-ACL-support (atleast not yet). - Peter > On 27 Feb 2020, at 18:41, Luoqi Chen <luoqi.chen@gmail.com> wrote: >=20 > Hi, >=20 > This was actually a pretty old problem, I noticed it a few years back = and > have been monitoring it when I upgrade the os on either the linux or = the > freebsd side -- it's still present between the latest centos and = freebsd as > of today. I meant to look into this issue myself, but had never found = time > for it, that's why I'm writing to this list, maybe it's a known = problem or > someone's willing to spend some time on it. >=20 > And here you go, the problem, >=20 > % cat ~/rotest.sh > #!/bin/sh > cp /dev/null x > getfacl x > chmod -w x > getfacl x > echo aaa >> x > echo status $? > cat x > rm -f x > % sh ~/rotest.sh > # file: x > # owner: luoqi > # group: wheel > user::rw- > group::r-- > other::r-- >=20 > # file: x > # owner: luoqi > # group: wheel > user::r-- > group::r-- > other::r-- >=20 > status 0 > aaa >=20 > The script was run on a centos inside a directory nfs mounted from a > freebsd. The append would fail for a centos/centos or a = freebsd/freebsd > combo. It's very easy to reproduce, it doesn't depend on any specific > centos or freebsd version, nor on nfs version 3 or 4, nor on = underlying > file system ffs or zfs. >=20 > -luoqi > _______________________________________________ > freebsd-fs@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-fs > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?707243CD-C67E-4DAD-AC5A-68EC11CFFDFD>