Bug 454072

Summary: RHEL 5.1 - cp and chmod don't respect NFSv4 ACLs
Product: Red Hat Enterprise Linux 5 Reporter: Steve <sfernand>
Component: coreutilsAssignee: Ondrej Vasik <ovasik>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5.3CC: jscotka, kdudka, marcobillpeter, msusta, rvokal, staubach, syeghiay, tao, ybabar
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 1646985 (view as bug list) Environment:
Last Closed: 2009-09-02 09:17:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1646985    
Attachments:
Description Flags
strace -ftvo nfs4_getfacl.strace nfs4_getfacl foo
none
strace -ftvo cp.strace cp --preserve=all foo bar none

Description Steve 2008-07-04 11:37:51 UTC 
This is an escalation from Issue tracker.

------------------------- Original report -----------------------
Description of problem:
Acls are not respected by cp and chmod commands when accessed via NFSv4

How reproducible:
Every time.

Steps to Reproduce:
Setup a RHEL 5.1 server with NFSv4 share backed with ext3 filesystem and put an
ACL on one of the files.[1]
Setup a RHEL 5.1 client and mount the NFSv4 share. See the acl is still on the
file.[2]  Cp the file and see the new copy does not retain the ACL. 
Alternatively if you chmod the original it will remove the ACL as well.

Actual results:
When accessing files via NFSv4 the ACLs get removed.

Expected results:
ACL should remain if you make a cp or chmod via NFSv4.

Additional info:
Affected rpm: coreutils.

When looking at an strace to try to see where the issue lies you can see when
you do a nfs4_getacl it uses system.nfs4_acl call where as the cp uses
system.posix_acl_access call and is not aware of nfsv4.
------------------------- Original report -----------------------

Note that in the original report ...

[1] ACL being set from the server is the posix acl using setfacl.
[2] This posix acl gets mapped on to the NFS acl and is displayed when we use
nfs4_getfacl from the client. However, doing a getfacl from the client does not
show the posix acl.

- steve
Comment 1 Ondrej Vasik 2008-07-04 11:46:34 UTC 
Could you please attach that strace(s) from issue tracker? I don't have access
there.
Comment 2 Steve 2008-07-04 12:08:42 UTC 
Created attachment 311035 [details]
strace -ftvo nfs4_getfacl.strace nfs4_getfacl foo

strace of nfs4_getfacl from the client.
Comment 3 Steve 2008-07-04 12:10:37 UTC 
Created attachment 311036 [details]
strace -ftvo cp.strace cp --preserve=all foo bar

strace of cp --preserve=all foo bar executed on the client.
Comment 6 Ondrej Vasik 2008-07-08 12:35:12 UTC 
I agree that it affects cp (and that cp/mv/install doesn't preserve NFSv4 ACL's
on files) - as the NFSv4 ACL's are not supported by libacl which is used by
coreutils. 
But I don't see anything wrong with NFSv4(or better said ACL's) about chmod
command. Coreutils command chmod(man 1 chmod) has imho nothing to do with ACL's
(maybe syscall from sys/types.h (man 2 chmod) has, but this is not comming from
coreutils). Correct me if I'm wrong.
Comment 7 Jim Meyering 2008-07-14 13:10:14 UTC 
thanks for the report.
This has been addressed upstream, since coreutils-6.12, thanks to changes by
Bruno Haible in gnulib.
In case you want to try the work-in-progress, here's a relatively recent
snapshot http://meyering.net/cu/coreutils-ss.tar.gz
Comment 13 Kamil Dudka 2008-12-16 14:15:39 UTC 
Patch for coreutils cp/mv xattr support (which solves this bug as well) has been sent to bug-coreutils mailing list: http://lists.gnu.org/archive/html/bug-coreutils/2008-11/msg00108.html

Now it is pending for review as it is not high priority.
Comment 25 errata-xmlrpc 2009-09-02 09:17:11 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-1262.html