Date: Thu, 27 Feb 2020 22:03:20 +0100 From: Peter Eriksson <pen@lysator.liu.se> To: FreeBSD Filesystems <freebsd-fs@freebsd.org> Subject: Re: Linux could write to read only files on FreeBSD NFS server Message-ID: <707243CD-C67E-4DAD-AC5A-68EC11CFFDFD@lysator.liu.se> In-Reply-To: <CAHJqQjuEVpL4xV1dAf6scFqFfMNm1gY3jOaO64ZQJTCQi_qzcQ@mail.gmail.com> References: <CAHJqQjuEVpL4xV1dAf6scFqFfMNm1gY3jOaO64ZQJTCQi_qzcQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I can verify that this indeed seems to be the case - the file owner can always write to files, no matter the permissions set. Tested both locally (on ZFS) and over NFS (from the same directory). - Peter > $ touch x > $ getfacl x > # file: x > # owner: peter86 > # group: employee-liu.se > user::rw- > group::r-- > other::r-- > > $ acltool list-access x > # file: x > # owner: peter86 > # group: employee-liu.se > owner@:rw-p--aARWcCos:-------:allow > group@:r-----a-R-c--s:-------:allow > everyone@:r-----a-R-c--s:———:allow > > $ chmod -w x > $ getfacl x > # file: x > # owner: peter86 > # group: employee-liu.se > user::r-- > group::r-- > other::r-- > > $ acltool list-access x > # file: x > # owner: peter86 > # group: employee-liu.se > owner@:r-----aARWcCos:-------:allow > group@:r-----a-R-c--s:-------:allow > everyone@:r-----a-R-c--s:-------:allow > > $ echo aaa >>x > > $ cat x > aaa Not even a “deny” ACL stops writing :-). I does stop me from reading the file contents afterwards though :-) > $ acltool edit owner@:ALL::deny x > $ acltool lac x > # file: x > # owner: peter86 > # group: employee-liu.se > owner@:rwxpd-aARWcCos:-------:deny > owner@:r-----a-R-cC-s:-------:allow > group@:r-----a-R-c--s:-------:allow > everyone@:r-----a-R-c--s:-------:allow > $ echo foo >>x > $ cat x > cat: x: Permission denied > $ acltool edit -- -owner@:ALL::deny x > $ acltool lac x > # file: x > # owner: peter86 > # group: employee-liu.se > owner@:r-----a-R-cC-s:-------:allow > group@:r-----a-R-c--s:-------:allow > everyone@:r-----a-R-c--s:-------:allow > $ cat x > aaa > foo Btw “acltool" is a small tool I’ve been creating because I find the current crop of NFSv4/ZFS-ACL handling tools a bit… “lacking”. The current “Work-in-progress” can be downloaded from https://github.com/ptrrkssn/acltool Compiles and works on FreeBSD, Solaris & Linux (only over NFSv4 for Linux) sadly. No POSIX-ACL-support (atleast not yet). - Peter > On 27 Feb 2020, at 18:41, Luoqi Chen <luoqi.chen@gmail.com> wrote: > > Hi, > > This was actually a pretty old problem, I noticed it a few years back and > have been monitoring it when I upgrade the os on either the linux or the > freebsd side -- it's still present between the latest centos and freebsd as > of today. I meant to look into this issue myself, but had never found time > for it, that's why I'm writing to this list, maybe it's a known problem or > someone's willing to spend some time on it. > > And here you go, the problem, > > % cat ~/rotest.sh > #!/bin/sh > cp /dev/null x > getfacl x > chmod -w x > getfacl x > echo aaa >> x > echo status $? > cat x > rm -f x > % sh ~/rotest.sh > # file: x > # owner: luoqi > # group: wheel > user::rw- > group::r-- > other::r-- > > # file: x > # owner: luoqi > # group: wheel > user::r-- > group::r-- > other::r-- > > status 0 > aaa > > The script was run on a centos inside a directory nfs mounted from a > freebsd. The append would fail for a centos/centos or a freebsd/freebsd > combo. It's very easy to reproduce, it doesn't depend on any specific > centos or freebsd version, nor on nfs version 3 or 4, nor on underlying > file system ffs or zfs. > > -luoqi > _______________________________________________ > freebsd-fs@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-fs > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?707243CD-C67E-4DAD-AC5A-68EC11CFFDFD>