Bug 1161164

Summary: nfs4_setfacl, nfs4_getfacl ignores DENY ace for DELETE, WRITE_OWNER, NAMED_ATTRS
Product: Red Hat Enterprise Linux 6 Reporter: Olga Kornievskaia <aglo>
Component: nfs4-acl-toolsAssignee: Steve Dickson <steved>
Status: CLOSED ERRATA QA Contact: Yongcheng Yang <yoyang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.7CC: bfields, eguan, fs-qe, mnavrati, salmy, steved
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nfs4-acl-tools-0.3.3-7.el6.src.rpm Doc Type: Bug Fix
Doc Text:
Previously, the nfs4_setfacl and nfs4_getfacl commands ignored the DENY access control entry (ACE) for the DELETE, WRITE_OWNER, and NAMED_ATTRS permissions. A patch has been applied to fix this bug, and setting or viewing DENY ACE is no longer ignored.
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-22 06:48:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1160463    

Description Olga Kornievskaia 2014-11-06 14:43:01 UTC
Description of problem:
nfs4_setfacl ignores setting of DENY ace for DELETE, WRITE_OWNER, READ/WRITE_NAMED_ATTRS. nfs4_getfacl does not display presence of those aces.

Version-Release number of selected component (if applicable):
all versions but for as example nfs4-acl-tools-0.3.3-13.el7.x86_64


Version-Release number of selected component (if applicable):

How reproducible and actual results:
1. mount your server /mnt
2. touch /mnt/file1
3. nfs4_setfacl -a D::EVERYONE@:donN /mnt/file1
4. nfs4_getfacl /mnt/file1
D::EVERYONE@:
A::OWNER@:rwatTnNcCy
A:g:GROUP@:rwatTnNcy
A::EVERYONE@:rtncy

Expected results:
D::EVERYONE@:dnNo
A::OWNER@:rwatTnNcCy
A:g:GROUP@:rwatTnNcy
A::EVERYONE@:rtncy


Additional info: same as bug 1160463 just applied to RHEL6 version

The following patch was committed by the maintainer
commit 47f4fae9b746
Author: Olga Kornievskaia <kolga@netapp.com>
Date:   Mon Nov 3 14:46:51 2014 -0500

    handle DENY ace for DELETE, WRITE_OWNER, and NAMED_ATTRS

    Don't ignore setting or viewing DENY ace for DELETE, WRITE_OWNER, and
    NAMED_ATTRS.

    Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>

diff --git a/include/libacl_nfs4.h b/include/libacl_nfs4.h
index 2f7cc2898678..47ca3c458110 100644
--- a/include/libacl_nfs4.h
+++ b/include/libacl_nfs4.h
@@ -95,16 +95,6 @@
 #define NFS4_INHERITANCE_FLAGS (NFS4_ACE_FILE_INHERIT_ACE \
                | NFS4_ACE_DIRECTORY_INHERIT_ACE | NFS4_ACE_INHERIT_ONLY_ACE)

-#define NFS4_ACE_MASK_IGNORE (NFS4_ACE_DELETE | NFS4_ACE_WRITE_OWNER \
-               | NFS4_ACE_READ_NAMED_ATTRS | NFS4_ACE_WRITE_NAMED_ATTRS)
-/* XXX not sure about the following.  Note that e.g. DELETE_CHILD is wrong in
- * general (should only be ignored on files). */
-#define MASK_EQUAL(mask1, mask2) \
-       (((mask1) & NFS4_ACE_MASK_ALL & ~NFS4_ACE_MASK_IGNORE & \
-                                               ~NFS4_ACE_DELETE_CHILD) \
-        == ((mask2) & NFS4_ACE_MASK_ALL & ~NFS4_ACE_MASK_IGNORE & \
-                                               ~NFS4_ACE_DELETE_CHILD))
-
 /*
  * NFS4_MAX_ACESIZE -- the number of bytes in the string representation we
  * read in (not the same as on-the-wire, which is also not the same as how
diff --git a/libnfs4acl/nfs4_new_ace.c b/libnfs4acl/nfs4_new_ace.c
index a93f74a3c7b2..0c875b1d9ebd 100644
--- a/libnfs4acl/nfs4_new_ace.c
+++ b/libnfs4acl/nfs4_new_ace.c
@@ -51,9 +51,6 @@ struct nfs4_ace * nfs4_new_ace(int is_directory, u32 type, u32 flag, u32 access_
        ace->type = type;
        ace->flag = flag;

-       if( type == NFS4_ACE_ACCESS_DENIED_ACE_TYPE )
-               access_mask = access_mask & ~(NFS4_ACE_MASK_IGNORE);
-
        /* Castrate delete_child if we aren't a directory */
        if (!is_directory)
                access_mask &= ~NFS4_ACE_DELETE_CHILD;
--

Comment 10 errata-xmlrpc 2015-07-22 06:48:37 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1340.html