Bug 1459972 - posix-acl: Whitelist virtual ACL xattrs
posix-acl: Whitelist virtual ACL xattrs
Status: CLOSED ERRATA
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: core (Show other bugs)
3.3
All All
unspecified Severity high
: ---
: RHGS 3.3.0
Assigned To: Soumya Koduri
Manisha Saini
: Triaged
Depends On: 1460649 1459971 1460650
Blocks: 1441131 1417151
  Show dependency treegraph
 
Reported: 2017-06-08 13:24 EDT by Soumya Koduri
Modified: 2017-09-21 00:59 EDT (History)
4 users (show)

See Also:
Fixed In Version: glusterfs-3.8.4-28
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1459971
: 1460647 (view as bug list)
Environment:
Last Closed: 2017-09-21 00:59:42 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Soumya Koduri 2017-06-08 13:24:22 EDT
+++ This bug was initially created as a clone of Bug #1459971 +++

Description of problem:

Similar to system.posix_acl_* xattrs, all users should be able to read virtual acl xattrs too (glusterfs.posix-acl-*). 

Otherwise it shall result in EACCESS error when any non-root user is trying to ACL of any file created under gluster volume.

Version-Release number of selected component (if applicable):


How reproducible:
Always


Steps to Reproduce:
1. Start NFS-ganesha using a non-root user
2. Export a volume via NFS-Ganesha
3. Mount the volume using NFSv4
4. Try to read/get acl.


Actual results:
It results in "Permission denied" error.

Expected results:
All users should be able to read POSIX ACLs for any file.

Additional info:
Comment 2 Soumya Koduri 2017-06-08 13:29:26 EDT
Patch posted upstream for review - https://review.gluster.org/17493
Comment 3 Atin Mukherjee 2017-06-09 04:12:18 EDT
I believe this issue blocks BZ 1450836 and given the later is already approved for rhgs-3.3.0, this bug needs to be fixed for rhgs-3.3.0 and hence giving devel_ack.
Comment 4 Soumya Koduri 2017-06-12 06:55:26 EDT
Downstream patch:
https://code.engineering.redhat.com/gerrit/108787
Comment 9 Manisha Saini 2017-07-24 04:43:48 EDT
Verified this bug on 

# rpm -qa | grep ganesha
glusterfs-ganesha-3.8.4-34.el7rhgs.x86_64
nfs-ganesha-2.4.4-16.el7rhgs.x86_64
nfs-ganesha-gluster-2.4.4-16.el7rhgs.x86_64

-----------
Reproduced on 3.2
-----------

[root@dhcp37-192 posix]# touch ms
[root@dhcp37-192 posix]# ll
total 0
-rw-r--r--. 1 root root 0 Jul 24 13:07 ms
[root@dhcp37-192 posix]# chmod 700 ms 
[root@dhcp37-192 posix]# ll
total 0
-rwx------. 1 root root 0 Jul 24 13:07 ms
[root@dhcp37-192 posix]#  getfattr -n glusterfs.posix.acl /mnt/ganesha32_async/posix/ms 
getfattr: Removing leading '/' from absolute path names
# file: mnt/ganesha32_async/posix/ms
glusterfs.posix.acl="u::rwx,g::---,o::---"

[root@dhcp37-192 posix]# su user1
[user1@dhcp37-192 posix]$ getfattr -n glusterfs.posix.acl /mnt/ganesha32_async/posix/ms
/mnt/ganesha32_async/posix/ms: glusterfs.posix.acl: Permission denied
[user1@dhcp37-192 posix]$ 

===================================

----------
Verified on 3.3.
----------


[root@dhcp37-192 posix]# touch ms
[root@dhcp37-192 posix]# ll
total 0
-rw-r--r--. 1 root root 0 Jul 24 13:08 ms
[root@dhcp37-192 posix]# chmod 700 ms
[root@dhcp37-192 posix]# ll
total 0
-rwx------. 1 root root 0 Jul 24 13:08 ms
[root@dhcp37-192 posix]# getfattr -n glusterfs.posix.acl /mnt/ganesha33_disperse/posix/ms 
getfattr: Removing leading '/' from absolute path names
# file: mnt/ganesha33_disperse/posix/ms
glusterfs.posix.acl="u::rwx,g::---,o::---"

[root@dhcp37-192 posix]# su user1
[user1@dhcp37-192 posix]$ getfattr -n glusterfs.posix.acl /mnt/ganesha33_disperse/posix/ms 
getfattr: Removing leading '/' from absolute path names
# file: mnt/ganesha33_disperse/posix/ms
glusterfs.posix.acl="u::rwx,g::---,o::---"

Moving this bug to verified state.
Comment 11 errata-xmlrpc 2017-09-21 00:59:42 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2774

Note You need to log in before you can comment on or make changes to this bug.