RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2138321 - [Regression] The NFS v4 server won't return failure when failing to set ACLs
Summary: [Regression] The NFS v4 server won't return failure when failing to set ACLs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: kernel
Version: 9.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jeff Layton
QA Contact: Yongcheng Yang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-10-28 06:05 UTC by Yongcheng Yang
Modified: 2023-05-09 09:55 UTC (History)
4 users (show)

Fixed In Version: kernel-5.14.0-239.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-05-09 08:05:41 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Gitlab redhat/centos-stream/src/kernel centos-stream-9 merge_requests 1846 0 None opened Follow-up fixes for nfsd for 9.2 2023-01-11 10:38:26 UTC
Red Hat Issue Tracker RHELPLAN-137774 0 None None None 2022-10-28 06:32:40 UTC
Red Hat Product Errata RHSA-2023:2458 0 None None None 2023-05-09 08:06:10 UTC

Description Yongcheng Yang 2022-10-28 06:05:38 UTC 
Description of problem:
Since kernel-5.14.0-178.el9 we have a new failure when testing the NFSv4 ACLs.
The test scenario is that user tries to set ACLs to file which he doesn't have permission. And it should be failed as before. But now looks like the NFS v4 server won't return failure when it actually fails to set that ACLs.

Version-Release number of selected component (if applicable):
since kernel 5.14.0-178.el9

How reproducible:
always

Steps to Reproduce:
1. Try to `nfs4_setfacl` a file but don't have permission to do that.
2.
3.

Actual results:
https://beaker.engineering.redhat.com/jobs/7175603 (in kernel-5.14.0-178.el9)
---
[09:25:26 root@ ~~]# nfsstat -m
/mnt/nfsmp-user_permission_check from fsqe-r640-02.fs.lab.eng.bos.redhat.com:/exportdir-user_permission_check
 Flags:	rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.16.56.10,local_lock=none,addr=10.16.224.250

[09:25:26 root@ ~~]# su alice -c 'touch /mnt/nfsmp-user_permission_check/testfile_alice'
[09:25:26 root@ ~~]# ls -l /mnt/nfsmp-user_permission_check/testfile_alice
-rw-r--r--. 1 alice alice 0 Oct 27 09:25 /mnt/nfsmp-user_permission_check/testfile_alice
[09:25:26 root@ ~~]# nfs4_getfacl /mnt/nfsmp-user_permission_check/testfile_alice

# file: /mnt/nfsmp-user_permission_check/testfile_alice
A::OWNER@:rwatTcCy
A::GROUP@:rtcy
A::EVERYONE@:rtcy
{Info} Try to set the ACL by another user, should be failed.
[09:25:26 root@ ~~]# su bob -c 'nfs4_setfacl -a "A::1002:rwaDxtTcCy" /mnt/nfsmp-user_permission_check/testfile_alice'
^^^^^^^^^^^^^^^ [   FAIL   ] :: Only the owner of a file should be able to set its ACL. (Expected 1-255, got 0)
[09:25:26 root@ ~~]# nfs4_getfacl /mnt/nfsmp-user_permission_check/testfile_alice

# file: /mnt/nfsmp-user_permission_check/testfile_alice
A::OWNER@:rwatTcCy
A::GROUP@:rtcy
A::EVERYONE@:rtcy


Expected results:
https://beaker.engineering.redhat.com/jobs/7179170 (with kernel-5.14.0-177.el9)
---
[01:09:51 root@ ~~]# su bob -c 'nfs4_setfacl -a "A::1002:rwaDxtTcCy" /mnt/nfsmp-user_permission_check/testfile_alice'
Failed setxattr operation: Operation not permitted


Additional info:
We have just updated a lot of NFS patches in Bug 2094072 and maybe those ACL updates matters:
[yoyang@yoyang-vm kernel-rhel9]$ git lo kernel-5.14.0-178.el9...kernel-5.14.0-177.el9 | grep -i acl
 5ada9b19fb98 NFSD: fix regression with setting ACLs.
 be0d61202bbd NFSD: add posix ACLs to struct nfsd_attrs
Comment 1 Yongcheng Yang 2022-10-28 06:08:08 UTC 
(In reply to Yongcheng Yang from comment #0)
> ... 
> Additional info:
> We have just updated a lot of NFS patches in Bug 2094072 and maybe those ACL updates matters:
> [yoyang@yoyang-vm kernel-rhel9]$ git lo
> kernel-5.14.0-178.el9...kernel-5.14.0-177.el9 | grep -i acl
>  5ada9b19fb98 NFSD: fix regression with setting ACLs.
>  be0d61202bbd NFSD: add posix ACLs to struct nfsd_attrs

And for now the upstream kernel (6.1.0-rc2+) also has this problem.
Comment 2 Jeff Layton 2022-11-07 11:56:37 UTC 
Making this bug public since there isn't any proprietary info here.
Comment 3 Jeff Layton 2022-11-07 12:01:54 UTC 
Patch posted upstream:

https://lore.kernel.org/linux-nfs/20221107115841.26380-1-jlayton@kernel.org/T/#u
Comment 6 Jeff Layton 2022-11-10 20:52:16 UTC 
Moving back to ASSIGNED as we need to wait for the patches to hit mainline.
Comment 24 Yongcheng Yang 2023-01-26 11:39:57 UTC 
Have just verified this issue in kernel 5.14.0-239.el9:
https://beaker.engineering.redhat.com/jobs/7468311
Comment 26 errata-xmlrpc 2023-05-09 08:05:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: kernel security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2458
Note You need to log in before you can comment on or make changes to this bug.