From owner-freebsd-bugs@freebsd.org Sun May 27 10:21:21 2018 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F0138EFD4EF for ; Sun, 27 May 2018 10:21:20 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 873F87A9D6 for ; Sun, 27 May 2018 10:21:20 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id 40E42EFD4E5; Sun, 27 May 2018 10:21:20 +0000 (UTC) Delivered-To: bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 04185EFD4E4 for ; Sun, 27 May 2018 10:21:20 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 94E6E7A9D4 for ; Sun, 27 May 2018 10:21:19 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id D36FAE732 for ; Sun, 27 May 2018 10:21:18 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w4RALI2A067392 for ; Sun, 27 May 2018 10:21:18 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w4RALIj8067391 for bugs@FreeBSD.org; Sun, 27 May 2018 10:21:18 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 228538] [permissions] effective allow/deny ACLs incorrectly evaluated in some cases [reproducible] Date: Sun, 27 May 2018 10:21:18 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.1-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: stilezy@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 May 2018 10:21:21 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D228538 Bug ID: 228538 Summary: [permissions] effective allow/deny ACLs incorrectly evaluated in some cases [reproducible] Product: Base System Version: 11.1-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: stilezy@gmail.com I've managed to get reproducible behaviour on FreeBSD 11.1-REL, showing tha= t: 1) an NFSv4 ACE that shouldn't affect the access granted to an account, does seem to affect it; and=20 2) giving the account "ra" instead or "r" rights bypasses the account's "re= ad directory content" denied access, even though "a" shouldn't be relevant to = (or change) the affected access. Test output follows below.=20 I've interspersed commands/output from two parallel sessions, one (#) privileged, the other (%) unprivileged.=20 Comments are in ALL-CAPS. -------------- COMMENT: CHECK MOUNT OPTIONS ARE NORMAL, AND SET UP A CLEAN TEST DIR + CONT= ENTS # mount | grep testpool testpool on /mnt/testpool (zfs, local, noatime, nfsv4acls) testpool/User_files on /mnt/testpool/User_files (zfs, local, noatime, nfsv4acls) # mkdir /mnt/testpool/test5; mkdir /mnt/testpool/test5/subdir; touch /mnt/testpool/test5/subfile; ls -1F /mnt/testpool/test5 subfile subdir/ COMMENT: CHECK OUR DIR IS READABLE WITH A NEWLY CREATED UNPRIVILEGED ACCOUN= T IN ANOTHER SSH WINDOW: % ls /mnt/testpool/test5 subdir subfile COMMENT: QUICKLY SET UP SOME ACLS TO EXHIBIT THE BEHAVIOUR: COMMENT: THESE ACLS SHOULD ALLOW THE UNPRIVILEGED ACCOUNT TO READ THE DIR B= UT NOTHING ELSE (AND THEY DO - SO FAR IT'S OK) # setfacl -a 0 everyone@:r::allow,owner@::allow,group@::allow,everyone@::al= low /mnt/testpool/test5 ; \ setfacl -x 4 /mnt/testpool/test5; setfacl -x 4 /mnt/testpool/test5; set= facl -x 4 /mnt/testpool/test5; getfacl /mnt/testpool/test5 # file: /mnt/testpool/test5 # owner: root # group: wheel everyone@:r-------------:-------:allow owner@:--------------:-------:allow group@:--------------:-------:allow everyone@:--------------:-------:allow COMMENT: CHECK THAT OUR UNPRIVILEGED ACCOUNT CAN READ THE DIR AS EXPECTED, = AND ONLY NEEDS "r" TO DO SO: % ls /mnt/testpool/test5 subdir subfile COMMENT: SO FAR ALL IS OK. COMMENT: NOW ADD A SINGLE ACE THAT SHOULDN'T AFFECT OUR UNPRIVILEGED ACCOUN= T AT ALL COMMENT: NOTHING SHOULD HAVE CHANGED FOR OUR UNPRIVILEGED ACCOUNT, BUT IT N= OW CANNOT READ THE DIR. # setfacl -a 1 group:nogroup:rwxpDda-R-c---:fd-----:allow /mnt/testpool/tes= t5 ; getfacl /mnt/testpool/test5 # file: /mnt/testpool/test5 # owner: root # group: wheel everyone@:r-------------:-------:allow group:nogroup:rwxpDda-R-c---:fd-----:allow owner@:--------------:-------:allow group@:--------------:-------:allow everyone@:--------------:-------:allow % ls /mnt/testpool/test5 ls: /mnt/testpool/test5: Permission denied COMMENT: LET'S GIVE THE UNPRIVILEGED ACCOUNT 'ra' INSTEAD OF 'r'.=20 COMMENT: WITH "ra" IT CAN READ THE DIR AGAIN: # setfacl -a 0 everyone@:ra::allow /mnt/testpool/test5 ; getfacl /mnt/testpool/test5 # file: /mnt/testpool/test5 # owner: root # group: wheel everyone@:r-----a-------:-------:allow everyone@:r-------------:-------:allow group:nogroup:rwxpDda-R-c---:fd-----:allow owner@:--------------:-------:allow group@:--------------:-------:allow everyone@:--------------:-------:allow % ls /mnt/testpool/test5 subdir subfile COMMENT: CONFIRM THE "a" WAS NECESSARY, BY REMOVING IT.=20 COMMENT: THE UNPRIVILEGED ACCOUNT CAN NOT READ THE DIR WITHOUT "ra": # setfacl -x 0 /mnt/testpool/test5 ; getfacl /mnt/testpool/test5 # file: /mnt/testpool/test5 # owner: root # group: wheel everyone@:r-------------:-------:allow group:nogroup:rwxpDda-R-c---:fd-----:allow owner@:--------------:-------:allow group@:--------------:-------:allow everyone@:--------------:-------:allow % ls /mnt/testpool/test5 ls: /mnt/testpool/test5: Permission denied --=20 You are receiving this mail because: You are the assignee for the bug.=