Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 27 Feb 2020 23:11:48 +0100
From:      Peter Eriksson <pen@lysator.liu.se>
To:        FreeBSD Filesystems <freebsd-fs@freebsd.org>
Subject:   Re: Linux could write to read only files on FreeBSD NFS server
Message-ID:  <6EC06026-DA28-4CAC-8D56-5C7856D4625E@lysator.liu.se>
In-Reply-To: <707243CD-C67E-4DAD-AC5A-68EC11CFFDFD@lysator.liu.se>
References:  <CAHJqQjuEVpL4xV1dAf6scFqFfMNm1gY3jOaO64ZQJTCQi_qzcQ@mail.gmail.com> <707243CD-C67E-4DAD-AC5A-68EC11CFFDFD@lysator.liu.se>

next in thread | previous in thread | raw e-mail | index | archive | help
I see that this was a bit unclear, writing to the protected file was via =
NFS from a Linux (CentOS 7) client. I verified the ACLs and the file =
content both via NFSv4 and locally on the FreeBSD server.

Writing from an OmniOS (OpenSolaris) client fails. As does a local =
write. As it should...

Also, it=E2=80=99s not related to ACLs (atleast not directly). Using =
=E2=80=9Cchmod=E2=80=9D gives the same effect:

> $ rm -f x
> $ touch x
> $ chmod 000 x
> $ ls -l x
> ---------- 1 peter86 employee-liu.se 0 27 feb 22.46 x
> $ echo foo >x
> $ cat x
> cat: x: Permission denied
> $ chmod 600 x
> cat x
> foo

Rick:
Looking at a tcpdump capture of the NFS traffic from the Linux client it =
seems to be doing:

1. Client -> Server:

V4 Procedure: COMPOUND (1)
 	SEQUENCE (53)
	PUTFH (22)
	OPEN (18)=20
		share_access: OPEN4_SHARE_ACCESS_WRITE
		open type: OPEN4_NOCREATE
	ACCESS (3)
		Check: RD MD XT XE
	GETATTR (9)


2. Server -> Client:

V4 Procedure: COMPOUND (1)
Status: NFS4_OK
Operations (5):
    SEQUENCE (53)
	Status: NFS4_OK
    PUTFH
	Status: NFS4_OK
    OPEN
	Status: NFS4_OK
    ACCESS [Access Denied]
	Status: NFS4_OK
    GETATTR
	Status: NFS4_OK


3. Client -> Server:

V4 Procedure: COMPOUND (1)
Tag: <EMPTY>
Operations:
	SEQUENCE (53)=20
	PUTFH (22)
	WRITE (38)
		Stable: FILE_SYNC4
	GETATTR (9)


4. Server -> Client

V4 Procedure: COMPOUND
Tag: <EMPTY>
Operations:
	SEQUENCE (53)
		Status: NFS4_OK
	PUTFH
		Status: NFS4_OK
	WRITE
		Status: NFS4_OK
		Committed: FILE_SYNC4
	GETATTR
		Status: NFS4_OK

(According to Wireshark)


Looks like Linux ignores the Access Denied in packet 2 and just forges =
ahead, and FreeBSD happily accepts the WRITE in packet 3=E2=80=A6

- Peter


> On 27 Feb 2020, at 22:03, Peter Eriksson <pen@lysator.liu.se> wrote:
>=20
> I can verify that this indeed seems to be the case - the file owner =
can always write to files, no matter the permissions set.
>=20
> Tested both locally (on ZFS) and over NFS (from the same directory).




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6EC06026-DA28-4CAC-8D56-5C7856D4625E>