Linux could write to read only files on FreeBSD NFS server
Peter Eriksson
pen at lysator.liu.se
Thu Feb 27 21:03:29 UTC 2020
I can verify that this indeed seems to be the case - the file owner can always write to files, no matter the permissions set.
Tested both locally (on ZFS) and over NFS (from the same directory).
- Peter
> $ touch x
> $ getfacl x
> # file: x
> # owner: peter86
> # group: employee-liu.se
> user::rw-
> group::r--
> other::r--
>
> $ acltool list-access x
> # file: x
> # owner: peter86
> # group: employee-liu.se
> owner@:rw-p--aARWcCos:-------:allow
> group@:r-----a-R-c--s:-------:allow
> everyone@:r-----a-R-c--s:———:allow
>
> $ chmod -w x
> $ getfacl x
> # file: x
> # owner: peter86
> # group: employee-liu.se
> user::r--
> group::r--
> other::r--
>
> $ acltool list-access x
> # file: x
> # owner: peter86
> # group: employee-liu.se
> owner@:r-----aARWcCos:-------:allow
> group@:r-----a-R-c--s:-------:allow
> everyone@:r-----a-R-c--s:-------:allow
>
> $ echo aaa >>x
>
> $ cat x
> aaa
Not even a “deny” ACL stops writing :-). I does stop me from reading the file contents afterwards though :-)
> $ acltool edit owner@:ALL::deny x
> $ acltool lac x
> # file: x
> # owner: peter86
> # group: employee-liu.se
> owner@:rwxpd-aARWcCos:-------:deny
> owner@:r-----a-R-cC-s:-------:allow
> group@:r-----a-R-c--s:-------:allow
> everyone@:r-----a-R-c--s:-------:allow
> $ echo foo >>x
> $ cat x
> cat: x: Permission denied
> $ acltool edit -- -owner@:ALL::deny x
> $ acltool lac x
> # file: x
> # owner: peter86
> # group: employee-liu.se
> owner@:r-----a-R-cC-s:-------:allow
> group@:r-----a-R-c--s:-------:allow
> everyone@:r-----a-R-c--s:-------:allow
> $ cat x
> aaa
> foo
Btw “acltool" is a small tool I’ve been creating because I find the current crop of NFSv4/ZFS-ACL handling tools a bit… “lacking”.
The current “Work-in-progress” can be downloaded from
https://github.com/ptrrkssn/acltool
Compiles and works on FreeBSD, Solaris & Linux (only over NFSv4 for Linux) sadly. No POSIX-ACL-support (atleast not yet).
- Peter
> On 27 Feb 2020, at 18:41, Luoqi Chen <luoqi.chen at gmail.com> wrote:
>
> Hi,
>
> This was actually a pretty old problem, I noticed it a few years back and
> have been monitoring it when I upgrade the os on either the linux or the
> freebsd side -- it's still present between the latest centos and freebsd as
> of today. I meant to look into this issue myself, but had never found time
> for it, that's why I'm writing to this list, maybe it's a known problem or
> someone's willing to spend some time on it.
>
> And here you go, the problem,
>
> % cat ~/rotest.sh
> #!/bin/sh
> cp /dev/null x
> getfacl x
> chmod -w x
> getfacl x
> echo aaa >> x
> echo status $?
> cat x
> rm -f x
> % sh ~/rotest.sh
> # file: x
> # owner: luoqi
> # group: wheel
> user::rw-
> group::r--
> other::r--
>
> # file: x
> # owner: luoqi
> # group: wheel
> user::r--
> group::r--
> other::r--
>
> status 0
> aaa
>
> The script was run on a centos inside a directory nfs mounted from a
> freebsd. The append would fail for a centos/centos or a freebsd/freebsd
> combo. It's very easy to reproduce, it doesn't depend on any specific
> centos or freebsd version, nor on nfs version 3 or 4, nor on underlying
> file system ffs or zfs.
>
> -luoqi
> _______________________________________________
> freebsd-fs at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-fs
> To unsubscribe, send any mail to "freebsd-fs-unsubscribe at freebsd.org"
More information about the freebsd-fs
mailing list