misc/174948: owner@ always have ZFS ACL full permissions. Should not be the case.
Sandra
littlesandra88 at gmail.com
Thu Jan 3 15:40:01 UTC 2013
>Number: 174948
>Category: misc
>Synopsis: owner@ always have ZFS ACL full permissions. Should not be the case.
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Jan 03 15:40:01 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator: Sandra
>Release: 9
>Organization:
>Environment:
>Description:
The Oracle ZFS specs says
http://docs.oracle.com/cd/E19253-01/819-5461/ftyxi/index.html
"The owner of a file is granted the write_acl permission unconditionally, even if the permission is explicitly denied."
But it is not possible to restrict the owner in any way.
The following is the output from the script in "How to repeat the problem", which shows that removing all ACL's on owner@ have no effect.
p="/tank/project1"
f="$p/test2"
u="user1"
rm -f $f
setfacl -b $p
setfacl -m group@::fd:allow $p || exit 1
setfacl -m everyone@::fd:allow $p || exit 1
setfacl -m owner@::fd:allow $p || exit 1
setfacl -m u:$u:rwx:fd:allow $p || exit 1
setfacl -m u:$u:aA:fd:deny $p || exit 1
getfacl $p
# file: /tank/project1
# owner: root
# group: wheel
user:user1:------aA------:fd----:deny
user:user1:rwx-----------:fd----:allow
owner@:--------------:fd----:allow
group@:--------------:fd----:allow
everyone@:--------------:fd----:allow
su -m $u -c "echo test > $f"
setfacl -m u:$u::allow $f || exit 1
getfacl $f
# file: /tank/project1/test2
# owner: user1
# group: wheel
user:user1:------aA------:------:deny
user:user1:--------------:------:allow
owner@:--------------:------:allow
group@:--------------:------:allow
everyone@:--------------:------:allow
su -m $u -c "touch -amct 191212121212 $f"
ls -l $f
----------+ 1 user1 wheel 5 Dec 12 1912 /tank/project1/test2
su -m $u -c "cat $f"
cat: /tank/project1/test2: Permission denied
su -m $u -c "chmod 777 $f"
ls -l $f
-rwxrwxrwx+ 1 user1 wheel 5 Dec 12 1912 /tank/project1/test2
su -m $u -c "cat $f"
test
su -m $u -c "setfacl -m u:$u:full_set:allow $f"
su -m $u -c "setfacl -x u:$u::deny $f"
getfacl $f
# file: /tank/project1/test2
# owner: user1
# group: wheel
user:user1:rwxpDdaARWcCos:------:allow
owner@:rwxp--aARWcCos:------:allow
group@:rwxp--a-R-c--s:------:allow
everyone@:rwxp--a-R-c--s:------:allow
>How-To-Repeat:
p="/tank/project1"
f="$p/test2"
u="user1"
rm -f $f
setfacl -b $p
setfacl -m group@::fd:allow $p || exit 1
setfacl -m everyone@::fd:allow $p || exit 1
setfacl -m owner@::fd:allow $p || exit 1
setfacl -m u:$u:rwx:fd:allow $p || exit 1
setfacl -m u:$u:aA:fd:deny $p || exit 1
getfacl $p
su -m $u -c "echo test > $f"
setfacl -m u:$u::allow $f || exit 1
getfacl $f
su -m $u -c "touch -amct 191212121212 $f"
ls -l $f
su -m $u -c "cat $f"
su -m $u -c "chmod 777 $f"
ls -l $f
su -m $u -c "cat $f"
su -m $u -c "setfacl -m u:$u:full_set:allow $f"
su -m $u -c "setfacl -x u:$u::deny $f"
getfacl $f
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list