Bug 1160463

Summary: nfs4_setfacl, nfs4_getfacl ignores DENY ace for DELETE, WRITE_OWNER, NAMED_ATTRS
Product: Red Hat Enterprise Linux 7 Reporter: Olga Kornievskaia <aglo>
Component: nfs4-acl-toolsAssignee: Steve Dickson <steved>
Status: CLOSED ERRATA QA Contact: Yongcheng Yang <yoyang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: eguan, fs-qe, jiyin, lmiksik, yoyang
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nfs4-acl-tools-0.3.3-14.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1249103 (view as bug list) Environment:
Last Closed: 2015-11-19 14:47:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1161164    
Bug Blocks: 1249103    
Attachments:
Description Flags
patch file none

Description Olga Kornievskaia 2014-11-04 21:10:48 UTC 
Created attachment 953835 [details]
patch file

Description of problem:

nfs4_setfacl ignores setting of DENY ace for DELETE, WRITE_OWNER, READ/WRITE_NAMED_ATTRS. nfs4_getfacl does not display presence of those aces.

Version-Release number of selected component (if applicable):
all versions but for as example nfs4-acl-tools-0.3.3-13.el7.x86_64


How reproducible and actual results:
1. mount your server /mnt
2. touch /mnt/file1
3. nfs4_setfacl -a D::EVERYONE@:donN /mnt/file1
4. nfs4_getfacl /mnt/file1
D::EVERYONE@:
A::OWNER@:rwatTnNcCy
A:g:GROUP@:rwatTnNcy
A::EVERYONE@:rtncy

Expected results:
D::EVERYONE@:dnNo
A::OWNER@:rwatTnNcCy
A:g:GROUP@:rwatTnNcy
A::EVERYONE@:rtncy

Additional info:
The following patch has been submitted to the maintainer as a fix:

[PATCH 1/1] [nfs4-acl-tools] handle DENY ace for DELETE, WRITE_OWNER,
 and NAMED_ATTRS

Don't ignore setting or viewing DENY ace for DELETE, WRITE_OWNER, and
NAMED_ATTRS.

Signed-off-by: Olga Kornievskaia <kolga>
---
 include/libacl_nfs4.h     | 8 ++------
 libnfs4acl/nfs4_new_ace.c | 3 ---
 2 files changed, 2 insertions(+), 9 deletions(-)

diff --git a/include/libacl_nfs4.h b/include/libacl_nfs4.h
index 2f7cc28..7b19c6f 100644
--- a/include/libacl_nfs4.h
+++ b/include/libacl_nfs4.h
@@ -95,15 +95,11 @@
 #define NFS4_INHERITANCE_FLAGS (NFS4_ACE_FILE_INHERIT_ACE \
                | NFS4_ACE_DIRECTORY_INHERIT_ACE | NFS4_ACE_INHERIT_ONLY_ACE)

-#define NFS4_ACE_MASK_IGNORE (NFS4_ACE_DELETE | NFS4_ACE_WRITE_OWNER \
-               | NFS4_ACE_READ_NAMED_ATTRS | NFS4_ACE_WRITE_NAMED_ATTRS)
 /* XXX not sure about the following.  Note that e.g. DELETE_CHILD is wrong in
  * general (should only be ignored on files). */
 #define MASK_EQUAL(mask1, mask2) \
-       (((mask1) & NFS4_ACE_MASK_ALL & ~NFS4_ACE_MASK_IGNORE & \
-                                               ~NFS4_ACE_DELETE_CHILD) \
-        == ((mask2) & NFS4_ACE_MASK_ALL & ~NFS4_ACE_MASK_IGNORE & \
-                                               ~NFS4_ACE_DELETE_CHILD))
+       (((mask1) & NFS4_ACE_MASK_ALL & ~NFS4_ACE_DELETE_CHILD) \
+        == ((mask2) & NFS4_ACE_MASK_ALL & ~NFS4_ACE_DELETE_CHILD))

 /*
  * NFS4_MAX_ACESIZE -- the number of bytes in the string representation we
diff --git a/libnfs4acl/nfs4_new_ace.c b/libnfs4acl/nfs4_new_ace.c
index a93f74a..0c875b1 100644
--- a/libnfs4acl/nfs4_new_ace.c
+++ b/libnfs4acl/nfs4_new_ace.c
@@ -51,9 +51,6 @@ struct nfs4_ace * nfs4_new_ace(int is_directory, u32 type, u32 flag, u32 access_
        ace->type = type;
        ace->flag = flag;

-       if( type == NFS4_ACE_ACCESS_DENIED_ACE_TYPE )
-               access_mask = access_mask & ~(NFS4_ACE_MASK_IGNORE);
-
        /* Castrate delete_child if we aren't a directory */
        if (!is_directory)
                access_mask &= ~NFS4_ACE_DELETE_CHILD;
--
1.9.3
Comment 3 Yongcheng Yang 2015-03-24 03:32:05 UTC 
[root@hp-dl380pg8-09 ~]# rpm -q nfs4-acl-tools
nfs4-acl-tools-0.3.3-13.el7.x86_64
[root@hp-dl380pg8-09 ~]# 
[root@hp-dl380pg8-09 ~]# 
[root@hp-dl380pg8-09 ~]# cat /etc/exports
/export *(rw)
[root@hp-dl380pg8-09 ~]# service nfs restart
Redirecting to /bin/systemctl restart  nfs.service
[root@hp-dl380pg8-09 ~]# mount localhost:/export/ /mnt/mnt_test/
[root@hp-dl380pg8-09 ~]# chmod 777 /export/
[root@hp-dl380pg8-09 ~]# touch /mnt/mnt_test/file1
[root@hp-dl380pg8-09 ~]# nfs4_setfacl -a D::EVERYONE@:donN /mnt/mnt_test/file1 
[root@hp-dl380pg8-09 ~]# nfs4_getfacl /mnt/mnt_test/file1 
A::OWNER@:rwatTcCy
A::GROUP@:rtcy
A::EVERYONE@:rtcy
[root@hp-dl380pg8-09 ~]#
Comment 6 Yongcheng Yang 2015-08-03 03:45:39 UTC 
Verified with nfs4-acl-tools-0.3.3-14.el7.x86_64

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: do-Test-nfs4_setfacl-D::EVERYONE@:dnNo-with-netapp-pnfs-02.mgmt.lab.eng.nay.redhat.com:/export/qe-test-rhel6bz1161164-rhel7bz1160463
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

[11:39:36 root@ ~~]# touch /mnt/nfsmp-nfs4_acl/nfs4_acl_testfile
:: [   PASS   ] :: Running 'touch /mnt/nfsmp-nfs4_acl/nfs4_acl_testfile' (Expected 0, got 0)
--------------------------------------------------------------------------------
[11:39:36 root@ ~~]# nfs4_setfacl -a 'D::EVERYONE@:dnNo' /mnt/nfsmp-nfs4_acl/nfs4_acl_testfile
:: [   PASS   ] :: Running 'nfs4_setfacl -a 'D::EVERYONE@:dnNo' /mnt/nfsmp-nfs4_acl/nfs4_acl_testfile' (Expected 0, got 0)
--------------------------------------------------------------------------------
[11:39:36 root@ ~~]# nfs4_getfacl /mnt/nfsmp-nfs4_acl/nfs4_acl_testfile | grep 'D::EVERYONE@:dnNo'
:: [   FAIL   ] :: Running 'nfs4_getfacl /mnt/nfsmp-nfs4_acl/nfs4_acl_testfile | grep 'D::EVERYONE@:dnNo'' (Expected 0, got 1)
--------------------------------------------------------------------------------
[11:39:36 root@ ~~]# rm -f /mnt/nfsmp-nfs4_acl/nfs4_acl_testfile
:: [   PASS   ] :: Running 'rm -f /mnt/nfsmp-nfs4_acl/nfs4_acl_testfile' (Expected 0, got 0)
--------------------------------------------------------------------------------
[root@ibm-x3550m4-02 common]# 
[root@ibm-x3550m4-02 common]# rpm -q nfs4-acl-tools
nfs4-acl-tools-0.3.3-13.el7.x86_64
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ reproduced with previous version
[root@ibm-x3550m4-02 common]# rpm -Uvh /root/nfs4-acl-tools-0.3.3-14.el7.x86_64.rpm 
Preparing...                          ################################# [100%]
Updating / installing...
   1:nfs4-acl-tools-0.3.3-14.el7      ################################# [ 50%]
Cleaning up / removing...
   2:nfs4-acl-tools-0.3.3-13.el7      ################################# [100%]
[root@ibm-x3550m4-02 common]# rpm -q nfs4-acl-tools
nfs4-acl-tools-0.3.3-14.el7.x86_64
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ update to the latest version
[root@ibm-x3550m4-02 common]# 
...
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: do-Test-nfs4_setfacl-D::EVERYONE@:dnNo-with-netapp-pnfs-02.mgmt.lab.eng.nay.redhat.com:/export/qe-test-rhel6bz1161164-rhel7bz1160463
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

[11:42:21 root@ ~~]# touch /mnt/nfsmp-nfs4_acl/nfs4_acl_testfile
:: [   PASS   ] :: Running 'touch /mnt/nfsmp-nfs4_acl/nfs4_acl_testfile' (Expected 0, got 0)
--------------------------------------------------------------------------------
[11:42:22 root@ ~~]# nfs4_setfacl -a 'D::EVERYONE@:dnNo' /mnt/nfsmp-nfs4_acl/nfs4_acl_testfile
:: [   PASS   ] :: Running 'nfs4_setfacl -a 'D::EVERYONE@:dnNo' /mnt/nfsmp-nfs4_acl/nfs4_acl_testfile' (Expected 0, got 0)
--------------------------------------------------------------------------------
[11:42:22 root@ ~~]# nfs4_getfacl /mnt/nfsmp-nfs4_acl/nfs4_acl_testfile | grep 'D::EVERYONE@:dnNo'
D::EVERYONE@:dnNo
:: [   PASS   ] :: Running 'nfs4_getfacl /mnt/nfsmp-nfs4_acl/nfs4_acl_testfile | grep 'D::EVERYONE@:dnNo'' (Expected 0, got 0)
--------------------------------------------------------------------------------
[11:42:22 root@ ~~]# rm -f /mnt/nfsmp-nfs4_acl/nfs4_acl_testfile
:: [   PASS   ] :: Running 'rm -f /mnt/nfsmp-nfs4_acl/nfs4_acl_testfile' (Expected 0, got 0)

Move to VERIFIED
Comment 7 errata-xmlrpc 2015-11-19 14:47:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2450.html