1560575 – [CEE/SD][cephfs-fuse] on cephfs-fuse mounted directories with "rw-rw-rw-" permissions "cd" of such directory succeed and does not return "Permission denied"

Bug 1560575 - [CEE/SD][cephfs-fuse] on cephfs-fuse mounted directories with "rw-rw-rw-" permissions "cd" of such directory succeed and does not return "Permission denied"

Summary: [CEE/SD][cephfs-fuse] on cephfs-fuse mounted directories with "rw-rw-rw-" per...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Ceph Storage
Classification:	Red Hat Storage
Component:	CephFS
Sub Component:
Version:	3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	z3
Target Release:	3.0
Assignee:	Jeff Layton
QA Contact:	ceph-qe-bugs
Docs Contact:	Aron Gunn
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-03-26 13:19 UTC by Tomas Petr
Modified:	2021-09-09 13:32 UTC (History)
CC List:	7 users (show)
Fixed In Version:	RHEL: ceph-12.2.4-10.el7cp Ubuntu: ceph_12.2.4-14redhat1xenial
Doc Type:	Bug Fix
Doc Text:	.A `ceph-fuse` mounted directory with `rw-rw-rw-` permissions no longer allows the changing into that directory A `ceph-fuse` routine used to check directory permissions was not fully implemented, which was allowing change directory checks to always pass. The `fuse_ll_access` call was implemented in `ceph-fuse`, and now when changing directories a permissions check is done as expected.
Clone Of:
Environment:
Last Closed:	2018-05-15 18:20:31 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Ceph Project Bug Tracker	23509	None	None	None	2018-03-29 14:29:23 UTC
Red Hat Issue Tracker	RHCEPH-1561	None	None	None	2021-09-09 13:32:00 UTC
Red Hat Product Errata	RHBA-2018:1563	None	None	None	2018-05-15 18:21:25 UTC

Description Tomas Petr 2018-03-26 13:19:29 UTC

Description of problem:
We have encountered cephfs-fuse mounted directory different behavior than base Linux or kernel driver mounted directories have regarding to the "cd" command against directory with "rw-rw-rw-" permissions:

$ id quicklab
uid=1000(quicklab) gid=1000(quicklab) groups=1000(quicklab),4(adm)

# cat /proc/mounts
...
/dev/rbd0 /mnt/ceph-test1 ext4 rw,seclabel,relatime,stripe=1024,data=ordered 0 0
fusectl /sys/fs/fuse/connections fusectl rw,relatime 0 0
ceph-fuse /mnt/ceph-test2 fuse.ceph-fuse rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other 0 0
10.74.157.1:6789,10.74.157.55:6789,10.74.156.172:6789:/ /mnt/ceph-test3 ceph rw,relatime,name=admin,secret=<hidden>,acl 0 0

[quicklab@mgmt-0 ~]$ df | grep ceph
/dev/rbd0                                                50264616  5955968  41732264  13% /mnt/ceph-test1
ceph-fuse                                               111099904  4788224 106311680   5% /mnt/ceph-test2
10.74.157.1:6789,10.74.157.55:6789,10.74.156.172:6789:/ 377286656 33939456 343347200   9% /mnt/ceph-test3

Linux base directory  behavior:
 - in regular Linux you cannot access the directory, as you can with cephfs Fuse:

but still can list:
[quicklab@mons-0 ~]$ ll /tmp/
total 0
drwxrw-rw-. 2 root root 17 Mar 20 10:44 test
[quicklab@mons-0 tmp]$ cd test/
-bash: cd: test/: Permission denied
[quicklab@mons-0 ~]$ ll /tmp/test/
ls: cannot access /tmp/test/aaa: Permission denied
total 0
-????????? ? ? ? ?            ? aaa
-----------------------

cephfs with kernel driver:
[root@mgmt-0 ~]# ll /mnt/ceph-test3
total 3704832
-rw-r--r-- 1 root root 3793747968 Mar 21 07:58 rhel-server-7.3-x86_64-dvd.iso
drwxrw-rw- 1 root root          1 Feb 15 07:19 test
drwxr-xr-x 1 root root         21 Mar 21 08:06 var
[root@mgmt-0 ~]# cat /mnt/ceph-test3/test/foo 
bar
barbar
bar
[root@mgmt-0 ~]# logout

[quicklab@mgmt-0 ~]$  cat /mnt/ceph-test3/test/foo
cat: /mnt/ceph-test3/test/foo: Permission denied
[quicklab@mgmt-0 ~]$ ll /mnt/ceph-test3/test/
ls: cannot access /mnt/ceph-test3/test/foo: Permission denied
total 0
-????????? ? ? ? ?            ? foo
[quicklab@mgmt-0 ~]$ cd /mnt/ceph-test3/test/
-bash: cd: /mnt/ceph-test3/test/: Permission denied
-----------------------


cephfs_fuse behavior:

[quicklab@mgmt-0 ~]$ ll /mnt/ceph-test2/
total 3704833
-rw-r--r--. 1 root root 3793747968 Mar 21 07:58 rhel-server-7.3-x86_64-dvd.iso
drwxrw-rw-. 1 root root         15 Feb 15 07:19 test
drwxr-xr-x. 1 root root 1107205021 Mar 21 08:06 var
[quicklab@mgmt-0 ~]$ ll /mnt/ceph-test2/test/
ls: cannot access /mnt/ceph-test2/test/foo: Permission denied
total 0
-????????? ? ? ? ?            ? foo

-- allow you to get in --- 
[quicklab@mgmt-0 ~]$ cd /mnt/ceph-test2/test/    <----------------------
[quicklab@mgmt-0 test]$ ll
ls: cannot access foo: Permission denied
total 0
-????????? ? ? ? ?            ? foo
[quicklab@mgmt-0 test]$ touch file
touch: cannot touch ‘file’: Permission denied


Is this behavior expected? 



Version-Release number of selected component (if applicable):
ceph-fuse-12.2.1-40.el7cp.x86_64

How reproducible:
always

Steps to Reproduce:
1. mount cephfs-fuse directory
2. chmod 666 /mounted/directory
3. cd /mounted/directory

Actual results:


Expected results:


Additional info:
client ceph.conf:
[quicklab@mgmt-0 ~]$ egrep -v "^#|^$" /etc/ceph/ceph.conf 
[global]
fsid = 5600bcae-f539-4782-83b9-dbccba2b798e
mon initial members = mons-0,mons-1,mons-2
mon host = 10.74.157.1,10.74.157.55,10.74.156.172
public network = 10.74.156.0/22
cluster network = 192.168.1.0/

MDS ceph.conf:
[root@mdss-1 ~]# egrep -v "^#|^$" /etc/ceph/ceph.conf 
[global]
fsid = 5600bcae-f539-4782-83b9-dbccba2b798e
mon host = 10.74.157.1,10.74.157.55,10.74.156.172
public network = 10.74.156.0/22
cluster network = 192.168.1.0/28
[mds.mdss-0]
host = mdss-0
[mds.mdss-1]
host = mdss-1

# ceph fs status
cephfs - 2 clients
======
+------+--------+--------+---------------+-------+-------+
| Rank | State  |  MDS   |    Activity   |  dns  |  inos |
+------+--------+--------+---------------+-------+-------+
|  0   | active | mdss-1 | Reqs:    0 /s | 2261  | 2260  |
+------+--------+--------+---------------+-------+-------+
+-----------------+----------+-------+-------+
|       Pool      |   type   |  used | avail |
+-----------------+----------+-------+-------+
| cephfs_metadata | metadata | 9243k |  108G |
|   cephfs_data   |   data   | 4900M |  108G |
+-----------------+----------+-------+-------+

+-------------+
| Standby MDS |
+-------------+
|    mdss-0   |
+-------------+

Comment 5 Jeff Layton 2018-03-29 14:29:59 UTC

I'll track this on the following upstream ceph bug for now:

    http://tracker.ceph.com/issues/23509

Comment 14 Ramakrishnan Periyasamy 2018-05-05 07:47:43 UTC

MOving this bz to verified state.

Comment 19 errata-xmlrpc 2018-05-15 18:20:31 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1563

Note You need to log in before you can comment on or make changes to this bug.