From owner-freebsd-fs@freebsd.org Thu Feb 27 21:03:29 2020 Return-Path: Delivered-To: freebsd-fs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3031C24EB09 for ; Thu, 27 Feb 2020 21:03:29 +0000 (UTC) (envelope-from pen@lysator.liu.se) Received: from mail.lysator.liu.se (mail.lysator.liu.se [IPv6:2001:6b0:17:f0a0::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 48T4rv589lz3FMF for ; Thu, 27 Feb 2020 21:03:26 +0000 (UTC) (envelope-from pen@lysator.liu.se) Received: from mail.lysator.liu.se (localhost [127.0.0.1]) by mail.lysator.liu.se (Postfix) with ESMTP id E4C9940010 for ; Thu, 27 Feb 2020 22:03:21 +0100 (CET) Received: by mail.lysator.liu.se (Postfix, from userid 1004) id D1C7640012; Thu, 27 Feb 2020 22:03:21 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on bernadotte.lysator.liu.se X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,AWL autolearn=disabled version=3.4.2 X-Spam-Score: -1.0 Received: from [192.168.1.132] (h-201-140.A785.priv.bahnhof.se [98.128.201.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.lysator.liu.se (Postfix) with ESMTPSA id D7B9940010 for ; Thu, 27 Feb 2020 22:03:20 +0100 (CET) From: Peter Eriksson Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\)) Subject: Re: Linux could write to read only files on FreeBSD NFS server Date: Thu, 27 Feb 2020 22:03:20 +0100 References: To: FreeBSD Filesystems In-Reply-To: Message-Id: <707243CD-C67E-4DAD-AC5A-68EC11CFFDFD@lysator.liu.se> X-Mailer: Apple Mail (2.3608.60.0.2.5) X-Virus-Scanned: ClamAV using ClamSMTP X-Rspamd-Queue-Id: 48T4rv589lz3FMF X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=none) header.from=liu.se; spf=pass (mx1.freebsd.org: domain of pen@lysator.liu.se designates 2001:6b0:17:f0a0::3 as permitted sender) smtp.mailfrom=pen@lysator.liu.se X-Spamd-Result: default: False [-4.06 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+a:mail.lysator.liu.se]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-fs@freebsd.org]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[4]; RCVD_TLS_LAST(0.00)[]; TO_DN_ALL(0.00)[]; DMARC_POLICY_ALLOW(-0.50)[liu.se,none]; RCVD_IN_DNSWL_NONE(0.00)[3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.0.f.7.1.0.0.0.b.6.0.1.0.0.2.list.dnswl.org : 127.0.11.0]; MV_CASE(0.50)[]; IP_SCORE(-1.76)[ip: (-6.90), ipnet: 2001:6b0::/32(-1.04), asn: 1653(-0.83), country: EU(-0.01)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:1653, ipnet:2001:6b0::/32, country:EU]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Feb 2020 21:03:29 -0000 I can verify that this indeed seems to be the case - the file owner can = always write to files, no matter the permissions set. Tested both locally (on ZFS) and over NFS (from the same directory). - Peter > $ touch x > $ getfacl x > # file: x > # owner: peter86 > # group: employee-liu.se > user::rw- > group::r-- > other::r-- >=20 > $ acltool list-access x > # file: x > # owner: peter86 > # group: employee-liu.se > owner@:rw-p--aARWcCos:-------:allow > group@:r-----a-R-c--s:-------:allow > everyone@:r-----a-R-c--s:=E2=80=94=E2=80=94=E2=80=94:allow= >=20 > $ chmod -w x > $ getfacl x > # file: x > # owner: peter86 > # group: employee-liu.se > user::r-- > group::r-- > other::r-- >=20 > $ acltool list-access x > # file: x > # owner: peter86 > # group: employee-liu.se > owner@:r-----aARWcCos:-------:allow > group@:r-----a-R-c--s:-------:allow > everyone@:r-----a-R-c--s:-------:allow >=20 > $ echo aaa >>x >=20 > $ cat x > aaa Not even a =E2=80=9Cdeny=E2=80=9D ACL stops writing :-). I does stop me = from reading the file contents afterwards though :-) > $ acltool edit owner@:ALL::deny x > $ acltool lac x > # file: x > # owner: peter86 > # group: employee-liu.se > owner@:rwxpd-aARWcCos:-------:deny > owner@:r-----a-R-cC-s:-------:allow > group@:r-----a-R-c--s:-------:allow > everyone@:r-----a-R-c--s:-------:allow > $ echo foo >>x > $ cat x > cat: x: Permission denied > $ acltool edit -- -owner@:ALL::deny x > $ acltool lac x > # file: x > # owner: peter86 > # group: employee-liu.se > owner@:r-----a-R-cC-s:-------:allow > group@:r-----a-R-c--s:-------:allow > everyone@:r-----a-R-c--s:-------:allow > $ cat x > aaa > foo Btw =E2=80=9Cacltool" is a small tool I=E2=80=99ve been creating because = I find the current crop of NFSv4/ZFS-ACL handling tools a bit=E2=80=A6 = =E2=80=9Clacking=E2=80=9D.=20 The current =E2=80=9CWork-in-progress=E2=80=9D can be downloaded from https://github.com/ptrrkssn/acltool Compiles and works on FreeBSD, Solaris & Linux (only over NFSv4 for = Linux) sadly. No POSIX-ACL-support (atleast not yet). - Peter > On 27 Feb 2020, at 18:41, Luoqi Chen wrote: >=20 > Hi, >=20 > This was actually a pretty old problem, I noticed it a few years back = and > have been monitoring it when I upgrade the os on either the linux or = the > freebsd side -- it's still present between the latest centos and = freebsd as > of today. I meant to look into this issue myself, but had never found = time > for it, that's why I'm writing to this list, maybe it's a known = problem or > someone's willing to spend some time on it. >=20 > And here you go, the problem, >=20 > % cat ~/rotest.sh > #!/bin/sh > cp /dev/null x > getfacl x > chmod -w x > getfacl x > echo aaa >> x > echo status $? > cat x > rm -f x > % sh ~/rotest.sh > # file: x > # owner: luoqi > # group: wheel > user::rw- > group::r-- > other::r-- >=20 > # file: x > # owner: luoqi > # group: wheel > user::r-- > group::r-- > other::r-- >=20 > status 0 > aaa >=20 > The script was run on a centos inside a directory nfs mounted from a > freebsd. The append would fail for a centos/centos or a = freebsd/freebsd > combo. It's very easy to reproduce, it doesn't depend on any specific > centos or freebsd version, nor on nfs version 3 or 4, nor on = underlying > file system ffs or zfs. >=20 > -luoqi > _______________________________________________ > freebsd-fs@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-fs > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org"