Date: Thu, 27 Feb 2020 23:11:48 +0100 From: Peter Eriksson <pen@lysator.liu.se> To: FreeBSD Filesystems <freebsd-fs@freebsd.org> Subject: Re: Linux could write to read only files on FreeBSD NFS server Message-ID: <6EC06026-DA28-4CAC-8D56-5C7856D4625E@lysator.liu.se> In-Reply-To: <707243CD-C67E-4DAD-AC5A-68EC11CFFDFD@lysator.liu.se> References: <CAHJqQjuEVpL4xV1dAf6scFqFfMNm1gY3jOaO64ZQJTCQi_qzcQ@mail.gmail.com> <707243CD-C67E-4DAD-AC5A-68EC11CFFDFD@lysator.liu.se>
next in thread | previous in thread | raw e-mail | index | archive | help
I see that this was a bit unclear, writing to the protected file was via = NFS from a Linux (CentOS 7) client. I verified the ACLs and the file = content both via NFSv4 and locally on the FreeBSD server. Writing from an OmniOS (OpenSolaris) client fails. As does a local = write. As it should... Also, it=E2=80=99s not related to ACLs (atleast not directly). Using = =E2=80=9Cchmod=E2=80=9D gives the same effect: > $ rm -f x > $ touch x > $ chmod 000 x > $ ls -l x > ---------- 1 peter86 employee-liu.se 0 27 feb 22.46 x > $ echo foo >x > $ cat x > cat: x: Permission denied > $ chmod 600 x > cat x > foo Rick: Looking at a tcpdump capture of the NFS traffic from the Linux client it = seems to be doing: 1. Client -> Server: V4 Procedure: COMPOUND (1) SEQUENCE (53) PUTFH (22) OPEN (18)=20 share_access: OPEN4_SHARE_ACCESS_WRITE open type: OPEN4_NOCREATE ACCESS (3) Check: RD MD XT XE GETATTR (9) 2. Server -> Client: V4 Procedure: COMPOUND (1) Status: NFS4_OK Operations (5): SEQUENCE (53) Status: NFS4_OK PUTFH Status: NFS4_OK OPEN Status: NFS4_OK ACCESS [Access Denied] Status: NFS4_OK GETATTR Status: NFS4_OK 3. Client -> Server: V4 Procedure: COMPOUND (1) Tag: <EMPTY> Operations: SEQUENCE (53)=20 PUTFH (22) WRITE (38) Stable: FILE_SYNC4 GETATTR (9) 4. Server -> Client V4 Procedure: COMPOUND Tag: <EMPTY> Operations: SEQUENCE (53) Status: NFS4_OK PUTFH Status: NFS4_OK WRITE Status: NFS4_OK Committed: FILE_SYNC4 GETATTR Status: NFS4_OK (According to Wireshark) Looks like Linux ignores the Access Denied in packet 2 and just forges = ahead, and FreeBSD happily accepts the WRITE in packet 3=E2=80=A6 - Peter > On 27 Feb 2020, at 22:03, Peter Eriksson <pen@lysator.liu.se> wrote: >=20 > I can verify that this indeed seems to be the case - the file owner = can always write to files, no matter the permissions set. >=20 > Tested both locally (on ZFS) and over NFS (from the same directory).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6EC06026-DA28-4CAC-8D56-5C7856D4625E>