Bug 204013

Summary: permission problems communicating with FreeBSD-based NFS servers.
Product: [Fedora] Fedora Reporter: Jeremy Anderson <ja>
Component: kernelAssignee: Steve Dickson <steved>
Status: CLOSED NOTABUG QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: medium    
Version: 8CC: alden, davej, triage, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: bzcl34nup
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-25 14:27:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
output from tshark
none
new output (from Fedora 8 client)
none
new output (from Mac OS X client) none

Description Jeremy Anderson 2006-08-25 00:02:03 UTC
Description of problem:

FC4 kernels after 2.6.15 have permissions issues when they attempt to connect to
FreeBSD-based NFS servers.

This has been verified on FreeBSD 5.4-RELEASE and Isilon Systems OneFS v3.0 and
v4.0.  Both are heavily modified FreeBSD derivatives.

Given two users, usera and userb, both of whom are members of groupa.
Given a file mounted on an NFS share from a FreeBSD-based server with the
following ownership and permissions:

-rw-rw-r--  1 usera groupa 23 Jul 14 17:12 filea

User userb will not be able to directly modify the file.

Please see reproduction scenario for details.


Version-Release number of selected component (if applicable):
2.6.16, 2.6.17

How reproducible:

Always

Steps to Reproduce:
1.  Create a user called user1.  Create this user with the following
characteristics:

user1:x:501:100:User1:/home/user1:/bin/bash

2.  Create a user called user2.  Create this user with the following
characteristics:

user2:x:502:100:User2:/home/user2:/bin/bash

3.  Verify user1 and user2's validity using id:

$ id user1
uid=501(user1) gid=100(users) groups=100(users)

$ id user2
uid=502(user2) gid=100(users) groups=100(users)

4. If it does not already exist, create a mount point on the FC4 box

if [ ! -d /mnt/nfsshare ]; then 
   mkdir /mnt/nfsshare
fi


5.  Mount an NFS share from a FreeBSD box with read-write capability.

mount -t nfs -o rw freebsd1:/nfsshare /mnt/nfsshare

6. Create a file which is owned by user1, in the users group (100), with 664 perms.

touch /mnt/nffsshare/testfile
chown user1:users /mnt/nffsshare/testfile
chmod 664 /mnt/nfsshare/testfile

7. Become user2

su - user2

8. Using your favorite editor (or vi), attempt to edit the file that was just
created.

vi /mnt/nfsshare/testfile

(insert random text)
<ESC>
:w

9.  Observe "Can't open file for writing" error.

10.  If you like, force a write using :w!

11.  Log out of user2 and become user1

exit
su - user1

12. Repeat step 8.

13. Observe "can't open file for writing" error, again. 

Actual results:

Demonstrated bidirectionally in above use case.

Expected results:

Files written.

Additional info:

Also exists as Isilon Systems Case 00007787.

Comment 1 David Lawrence 2006-09-05 15:57:43 UTC
Changing to proper owner, kernel-maint.

Comment 2 Dave Jones 2006-10-16 18:22:00 UTC
A new kernel update has been released (Version: 2.6.18-1.2200.fc5)
based upon a new upstream kernel release.

Please retest against this new kernel, as a large number of patches
go into each upstream release, possibly including changes that
may address this problem.

This bug has been placed in NEEDINFO state.
Due to the large volume of inactive bugs in bugzilla, if this bug is
still in this state in two weeks time, it will be closed.

Should this bug still be relevant after this period, the reporter
can reopen the bug at any time. Any other users on the Cc: list
of this bug can request that the bug be reopened by adding a
comment to the bug.

In the last few updates, some users upgrading from FC4->FC5
have reported that installing a kernel update has left their
systems unbootable. If you have been affected by this problem
please check you only have one version of device-mapper & lvm2
installed.  See bug 207474 for further details.

If this bug is a problem preventing you from installing the
release this version is filed against, please see bug 169613.

If this bug has been fixed, but you are now experiencing a different
problem, please file a separate bug for the new problem.

Thank you.

Comment 3 Jeremy Anderson 2006-10-17 17:34:48 UTC
Problem was reproduced under 2.6.17-1.2187_FC5.

Additional notes:

1) editing a file owned by another user with kedit failed.
2) editing a file owned by another user with vi succeeded, but only by forcing a
write using :w!

3) (new) Appending a file owned by another user with cat >> succeeded.

Comment 4 Dave Jones 2006-10-17 23:57:04 UTC
The previous comment mentioned 2.6.18-1.2200.fc5.
Does that have the same problem ?


Comment 5 Jeremy Anderson 2006-10-20 18:24:21 UTC
Sorry.  First upgrade to 2.6.18-1.2200.fc5 was not sucessful.

Yes, this problem reproduces under 2.6.18-1.2200.fc5.

Comment 6 Bug Zapper 2008-04-04 03:35:38 UTC
Fedora apologizes that these issues have not been resolved yet. We're
sorry it's taken so long for your bug to be properly triaged and acted
on. We appreciate the time you took to report this issue and want to
make sure no important bugs slip through the cracks.

If you're currently running a version of Fedora Core between 1 and 6,
please note that Fedora no longer maintains these releases. We strongly
encourage you to upgrade to a current Fedora release. In order to
refocus our efforts as a project we are flagging all of the open bugs
for releases which are no longer maintained and closing them.
http://fedoraproject.org/wiki/LifeCycle/EOL

If this bug is still open against Fedora Core 1 through 6, thirty days
from now, it will be closed 'WONTFIX'. If you can reporduce this bug in
the latest Fedora version, please change to the respective version. If
you are unable to do this, please add a comment to this bug requesting
the change.

Thanks for your help, and we apologize again that we haven't handled
these issues to this point.

The process we are following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.

And if you'd like to join the bug triage team to help make things
better, check out http://fedoraproject.org/wiki/BugZappers

Comment 7 David Alden 2008-04-17 18:12:58 UTC
Please change the version to Fedora 8.

I'm having the same problem with my Fedora 8 clients (running 2.6.24.4-64) to my Mac OS X 10.4.11 NFS 
server.

Help?

Comment 8 Steve Dickson 2008-04-21 13:47:40 UTC
I'm not having any problems using a F-8 kernel 2.6.24.4-64.fc8 kernel to 
mount a Mac-OS 10.5 server... would be possible to get a binary bzip2 tshark 
network trace? Something similar to:
    
   tshark -w /tmp/bz204013.pcap host <MacServer> 
   bzip2 /tmp/bz204013.pcap

Comment 9 David Alden 2008-04-21 15:41:10 UTC
Created attachment 303162 [details]
output from tshark

Here is the requested output from tshark.

Comment 10 Steve Dickson 2008-04-21 19:24:23 UTC
Here is what the network trace shows, The MacOS server 
is failing truncation of a file (see patcks 5 and 11 of the trace).
Both requests are coming from a user with the following credentials:
UID: 500 GID: 224
Auxiliary GIDs: 80, 220, 224, 360, 410, 414, 450, 620, 
                1000, 1003, 1004, 1005, 1006, 1011, 1012, 1013

So from you are saying, 
   user1:x:501:100:User1:/home/user1:/bin/bash
and 
   user2:x:502:100:User2:/home/user2:/bin/bash

are trying to write to
   user1:users /mnt/nffsshare/testfile

as user2 which fails.

Unfortunately, the above scenario does not jive with the network
trace.

What the network trace is saying a user with a GID of 500 and GID 224
who is *not* in group 100 (note the fact 100 is not in the auxiliary GIDs)
is being denied access to a file that owned by UID 2501, GID 224 and a
file mode of 0660, which makes sense...

So it appears to me that the uid/gid you think your using is not
the actual uid/gid are being used. Or maybe there is a mismatch of
ids between the server and client? 

                

Comment 11 David Alden 2008-04-23 14:08:51 UTC
I'm sorry, there's a little confusion here.  I'm not the original poster, so I'm not using the user1, user2 
settings that the OP is.  Here's my setup (and I'll attach a new tshark output with the output from this 
example):

% ls -lna
drwxrws---  3 2501 224 102 2008-04-23 08:52 .
drwxr-xr-x 10 2501  10 340 2008-04-17 09:42 ..
-rw-rw----  1 2501 224   9 2008-04-21 11:33 z
% id
uid=1301(joeuser) gid=224(staff-computer) groups=224(staff-computer)
% echo hi >| z
-bash: z: Permission denied
%

I've run the same commands from a Mac OS X client and I notice a few 'minor' differences:

 o  The Fedora client sets the Machine Name in the Credentials part of the
     packet, the Mac client does not.

 o  The Fedora client sends the primary GID as an Auxiliary GID, the Mac
     client does not.

 o  The Fedora client sends a new attribute for 'mtime' ("set to server time")
     while the Mac client does not.

Not knowing the NFS protocol, I don't know if those are 'normal' -- but an educated guess tells me that 
they are and therefore it's probably the Mac NFS server that is broken, right?



Comment 12 David Alden 2008-04-23 14:09:32 UTC
Created attachment 303495 [details]
new output (from Fedora 8 client)

Comment 13 David Alden 2008-04-23 14:09:58 UTC
Created attachment 303496 [details]
new output (from Mac OS X client)

Comment 14 Steve Dickson 2008-04-25 14:14:13 UTC
David,

First of all, thank for such an excellent analysis of the problem!
It was definitely appreciated! 

I have to agree with your findings that this appears to be a server 
problem, so I pinged one of the NFS guys at Apple and here
is his response:

    I remember I fixed one that caused ACCESS to return
    incorrect access bits which I think went out in a Tiger update,
    though I can't pin down which one.  But it's possibly fixed in
    a Tiger update - though it affected Mac clients too.

    Sounds like the customer should now be motivated to
    upgrade to 10.5 Leopard.  It's not likely that we'll be putting
    much effort into fixing 10.4 Tiger bugs now.

So it appears you'll need to update your MacOS to 10.5. 

Note: I access a 10.5 exports (on my iMac) from RHEL and Fedora 
clients all the time... w/out issue.