Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
Since kernel-5.14.0-178.el9 we have a new failure when testing the NFSv4 ACLs.
The test scenario is that user tries to set ACLs to file which he doesn't have permission. And it should be failed as before. But now looks like the NFS v4 server won't return failure when it actually fails to set that ACLs.
Version-Release number of selected component (if applicable):
since kernel 5.14.0-178.el9
How reproducible:
always
Steps to Reproduce:
1. Try to `nfs4_setfacl` a file but don't have permission to do that.
2.
3.
Actual results:
https://beaker.engineering.redhat.com/jobs/7175603 (in kernel-5.14.0-178.el9)
---
[09:25:26 root@ ~~]# nfsstat -m
/mnt/nfsmp-user_permission_check from fsqe-r640-02.fs.lab.eng.bos.redhat.com:/exportdir-user_permission_check
Flags: rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.16.56.10,local_lock=none,addr=10.16.224.250
[09:25:26 root@ ~~]# su alice -c 'touch /mnt/nfsmp-user_permission_check/testfile_alice'
[09:25:26 root@ ~~]# ls -l /mnt/nfsmp-user_permission_check/testfile_alice
-rw-r--r--. 1 alice alice 0 Oct 27 09:25 /mnt/nfsmp-user_permission_check/testfile_alice
[09:25:26 root@ ~~]# nfs4_getfacl /mnt/nfsmp-user_permission_check/testfile_alice
# file: /mnt/nfsmp-user_permission_check/testfile_alice
A::OWNER@:rwatTcCy
A::GROUP@:rtcy
A::EVERYONE@:rtcy
{Info} Try to set the ACL by another user, should be failed.
[09:25:26 root@ ~~]# su bob -c 'nfs4_setfacl -a "A::1002:rwaDxtTcCy" /mnt/nfsmp-user_permission_check/testfile_alice'
^^^^^^^^^^^^^^^ [ FAIL ] :: Only the owner of a file should be able to set its ACL. (Expected 1-255, got 0)
[09:25:26 root@ ~~]# nfs4_getfacl /mnt/nfsmp-user_permission_check/testfile_alice
# file: /mnt/nfsmp-user_permission_check/testfile_alice
A::OWNER@:rwatTcCy
A::GROUP@:rtcy
A::EVERYONE@:rtcy
Expected results:
https://beaker.engineering.redhat.com/jobs/7179170 (with kernel-5.14.0-177.el9)
---
[01:09:51 root@ ~~]# su bob -c 'nfs4_setfacl -a "A::1002:rwaDxtTcCy" /mnt/nfsmp-user_permission_check/testfile_alice'
Failed setxattr operation: Operation not permitted
Additional info:
We have just updated a lot of NFS patches in Bug 2094072 and maybe those ACL updates matters:
[yoyang@yoyang-vm kernel-rhel9]$ git lo kernel-5.14.0-178.el9...kernel-5.14.0-177.el9 | grep -i acl
5ada9b19fb98 NFSD: fix regression with setting ACLs.
be0d61202bbd NFSD: add posix ACLs to struct nfsd_attrs
(In reply to Yongcheng Yang from comment #0)
> ...
> Additional info:
> We have just updated a lot of NFS patches in Bug 2094072 and maybe those ACL updates matters:
> [yoyang@yoyang-vm kernel-rhel9]$ git lo
> kernel-5.14.0-178.el9...kernel-5.14.0-177.el9 | grep -i acl
> 5ada9b19fb98 NFSD: fix regression with setting ACLs.
> be0d61202bbd NFSD: add posix ACLs to struct nfsd_attrs
And for now the upstream kernel (6.1.0-rc2+) also has this problem.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Important: kernel security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2023:2458