Bug 876528
| Summary: | Set-group-ID (SGID) bit not inherited on XFS file system with ACLs on directory | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Aaron Tomlin <atomlin> | |
| Component: | kernel | Assignee: | Carlos Maiolino <cmaiolin> | |
| Status: | CLOSED ERRATA | QA Contact: | Eryu Guan <eguan> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 6.3 | CC: | bfoster, branto, cmaiolin, dchinner, eguan, esandeen, jcpunk, lczerner, pablo.iranzo, plambri, rwheeler, zab | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | kernel-2.6.32-408.el6 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1019699 (view as bug list) | Environment: | ||
| Last Closed: | 2013-11-21 13:51:42 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1019699 | |||
Hi, Is there any ETA for a fix for this situation? Customer is heavily using ACL's on XFS systems (for SAS), and has detected those problems with the behaviour of the sticky bit. Thanks, Pablo We're looking at it now. I sent an xfstests testcase upstream which demonstrates the behavior (generic/313). TBH, we're trying to work out what the proper behavior really is... Has the customer seen actual functional problems, or is the lack of the sticky bit more of a curiosity? (In reply to Eric Sandeen from comment #10) > Has the customer seen actual functional problems, or is the lack of the > sticky bit more of a curiosity? Yes, we found the BZ after they observed this behaviour Hi, this is just a matter of naming, but the bugzilla subject is wrong. The problem here is not in the Sticky bit (S_ISVTX or 01000), but in set-group-ID bit (S_ISGID or 02000). I'm going to change the subject since it might cause confusion, misinterpretation and even false positive searches on BZ search engine (and other search engines). TBH I've never seen anybody saying "group sticky bit" and this isn't the way the manpage describes it, so, it's better to keep it aligned with the manpage Hi, the behaviour is caused while XFS checks for group permissions in the path xfs_setattr_nonsize()->inode_change_ok() and, xfs_setattr_mode(), where, in both cases, I_SGID is being revoked when the effective group id do not match with the group of the file/directory. the problem here looks to be this check being done after we inherit parent's permissions, so, since the current effective group id do not match the default acl, SGID is revoked. As said previously, this is an upstream bug indeed, so, it's also being discussed upstream, I'll update the bugzilla as soon as I have some good idea about how to fix it. --Carlos Hi, I sent a patch fixing the problem to the upstream xfs community, the patch is being reviewed and will be ported to our kernel soon. --Carlos This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release. Patch(es) available on kernel-2.6.32-408.el6 xfstests generic/314 fails on kernel-2.6.32-358.el6
FSTYP -- xfs (non-debug)
PLATFORM -- Linux/x86_64 dhcp12-195 2.6.32-358.el6.x86_64
MKFS_OPTIONS -- -f -b size=4096 /dev/sda6
MOUNT_OPTIONS -- -o context=system_u:object_r:nfs_t:s0 /dev/sda6 /mnt/testarea/scratch
generic/314 - output mismatch (see /var/lib/xfstests/results/generic/314.out.bad)
--- tests/generic/314.out 2013-09-05 17:12:12.732601444 +0800
+++ /var/lib/xfstests/results/generic/314.out.bad 2013-09-05 17:12:33.868601421 +0800
@@ -1,3 +1,3 @@
QA output created by 314
drwxr-sr-x subdir
-drwxrwsr-x+ subdir2
+drwxrwxr-x+ subdir2
...
(Run 'diff -u tests/generic/314.out /var/lib/xfstests/results/generic/314.out.bad' to see the entire diff)
Ran: generic/314
Failures: generic/314
Failed 1 of 1 tests
Verified on kernel-2.6.32-358.el6, generic/314 passes.
FSTYP -- xfs (non-debug)
PLATFORM -- Linux/x86_64 hp-dl388g8-03 2.6.32-414.el6.x86_64
MKFS_OPTIONS -- -f -bsize=4096 /dev/mapper/testvg-testlv2
MOUNT_OPTIONS -- -o context=system_u:object_r:nfs_t:s0 /dev/mapper/testvg-testlv2 /mnt/testarea/scratch
generic/314 0s ... 0s
Ran: generic/314
Passed all 1 tests
Set to VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-1645.html |
Created attachment 644753 [details] Systemtap script to capture the S_ISGID being removed in xfs_setattr() Description of problem: A child directory does not inherit the S_ISGID (group sticky bit) as expected, when the parent directory has ACL_TYPE_DEFAULT applied. S_ISGID is cleared in xfs_setattr() as illustrated below: /* * Change file access modes. */ if (mask & ATTR_MODE) { umode_t mode = iattr->ia_mode; if (!in_group_p(inode->i_gid) && !capable(CAP_FSETID)) mode &= ~S_ISGID; ip->i_d.di_mode &= S_IFMT; ip->i_d.di_mode |= mode & ~S_IFMT; inode->i_mode &= S_IFMT; inode->i_mode |= mode & ~S_IFMT; } This is also demonstrated below, via Systemtap (script attached): $ sudo mkdir hello $ sudo chown -R test:test hello/ $ sudo chgrp fred hello/ - Set the group sticky bit $ sudo chmod 2775 hello/ $ cd hello/ - Create a directory and notice that the group sticky bit is applied for the "howareyou" directory as expected $ mkdir howareyou - Apply an ACL and a default ACL on the "hello" directory $ setfacl -m u:test:rwx,d:u:test:rwx . - Create another directory and notice how the group sticky bit is not applied $ mkdir howareyou4 $ ls -lia total 16 786752 drwxrwsr-x+ 6 test fred 73 Nov 4 21:44 . 128 drwxr-xr-x. 3 root root 18 Nov 4 13:49 .. 131 drwxrwsr-x. 2 test fred 6 Nov 3 13:50 howareyou 132 drwxrwxr-x+ 2 test fred 6 Nov 4 21:44 howareyou4 ... xfs_vn_mkdir: dir->i_ino: 786752 xfs_vn_mkdir: dir->i_mode: 42775 xfs_vn_mkdir: dir->i_sb->s_flags: 0x40010000 xfs_vn_mkdir: mode: 777 xfs_vn_mkdir: dentry->d_parent->d_iname: "hello" xfs_vn_mkdir: dentry->d_iname: "howareyou4" xfs_vn_mkdir: dentry->d_inode: 0x0 xfs_vn_mkdir: dentry->d_count: 1 xfs_vn_mkdir: dentry->d_flags: 0x0 xfs_set_mode: inode->i_ino: 132 xfs_set_mode: inode->i_mode: 42777 xfs_setattr: S_ISGID bit cleared 0xffffffffa036fcc0 : xfs_setattr+0x4b0/0xab0 [xfs] 0xffffffffa031e552 : xfs_set_mode+0x52/0x60 [xfs] 0xffffffffa031ec7a : xfs_inherit_acl+0x9a/0xf0 [xfs] 0xffffffffa037b503 : xfs_vn_mknod+0xe3/0x1c0 [xfs] 0xffffffffa037b5f3 : xfs_vn_mkdir+0x13/0x20 [xfs] 0xffffffff81188617 0x0 (inexact) xfs_setattr: inode->i_mode: 40775 0xffffffffa036fd18 : xfs_setattr+0x508/0xab0 [xfs] 0xffffffffa031e552 : xfs_set_mode+0x52/0x60 [xfs] 0xffffffffa031ec7a : xfs_inherit_acl+0x9a/0xf0 [xfs] 0xffffffffa037b503 : xfs_vn_mknod+0xe3/0x1c0 [xfs] 0xffffffffa037b5f3 : xfs_vn_mkdir+0x13/0x20 [xfs] 0xffffffff81188617 0x0 (inexact) Pass 5: run completed in 10usr/20sys/1241real ms. Version-Release number of selected component (if applicable): 2.6.32-279.2.1.el6 How reproducible: Always without fail Expected results: The group membership is preserved for all files and directories in that directory