In the output below, which is from the script in "How to repeat the problem", it can be seen that user "www" which doesn't own file1 and only have "rx" permissions on /tank/project1/test3 is able to delete /tank/project1/test3/file1 and by doing that updating the timestamp on /tank/project1/test3. This should not be possible with the given permissions. #!/usr/local/bin/bash -v clear p="/tank/project1" d="$p/test3" u="user1" rm -rf $d setfacl -b $p setfacl -m group@::fd:allow $p || exit 1 setfacl -m everyone@::fd:allow $p || exit 1 setfacl -m owner@:rwx:fd:allow $p || exit 1 setfacl -m u:$u:full_set:fd:allow $p || exit 1 setfacl -m u:www:full_set:fd:allow $p || exit 1 getfacl $p # file: /tank/project1 # owner: root # group: wheel user:www:rwxpDdaARWcCos:fd----:allow user:user1:rwxpDdaARWcCos:fd----:allow owner@:rwx-----------:fd----:allow group@:--------------:fd----:allow everyone@:--------------:fd----:allow su -m $u -c "mkdir $d" getfacl $d # file: /tank/project1/test3 # owner: user1 # group: wheel user:www:rwxpDdaARWcCos:fd----:allow user:user1:rwxpDdaARWcCos:fd----:allow owner@:rwx-----------:fd----:allow group@:--------------:fd----:allow everyone@:--------------:fd----:allow su -m $u -c "touch $d/file1" # user1 wants www only to have read access su -m $u -c "setfacl -m u:www:rx:fd:allow $d || exit 1" getfacl $d # file: /tank/project1/test3 # owner: user1 # group: wheel user:www:r-x-----------:fd----:allow user:www:r-x-----------:fd----:allow user:user1:rwxpDdaARWcCos:fd----:allow owner@:rwx-----------:fd----:allow group@:--------------:fd----:allow everyone@:--------------:fd----:allow # www should be able to read and delete because file1 was created before the ACL getfacl $d/file1 # file: /tank/project1/test3/file1 # owner: user1 # group: wheel user:www:rw-pDdaARWcCos:------:allow user:user1:rw-pDdaARWcCos:------:allow owner@:rw------------:------:allow group@:--------------:------:allow everyone@:--------------:------:allow su -m www -c "touch $d/file2" touch: /tank/project1/test3/file2: Permission denied su -m www -c "cat $d/file1" touch -amct 191212121212 $d su -m www -c "rm $d/file1" ls -ld $d drwx------+ 2 user1 wheel 2 Jan 7 12:25 /tank/project1/test3 How-To-Repeat: #!/usr/local/bin/bash -v clear p="/tank/project1" d="$p/test3" u="user1" rm -rf $d setfacl -b $p setfacl -m group@::fd:allow $p || exit 1 setfacl -m everyone@::fd:allow $p || exit 1 setfacl -m owner@:rwx:fd:allow $p || exit 1 setfacl -m u:$u:full_set:fd:allow $p || exit 1 setfacl -m u:www:full_set:fd:allow $p || exit 1 getfacl $p su -m $u -c "mkdir $d" getfacl $d su -m $u -c "touch $d/file1" # user1 wants www only to have read access su -m $u -c "setfacl -m u:www:rx:fd:allow $d || exit 1" getfacl $d # www should not be able to delete file1, as delete have not been granted # also notice that www's rm updates the timestamp on the parent dir. # this should not be possible getfacl $d/file1 su -m www -c "touch $d/file2" su -m www -c "cat $d/file1" touch -amct 191212121212 $d su -m www -c "rm $d/file1" ls -ld $d
Responsible Changed From-To: freebsd-bugs->freebsd-fs Over to maintainer(s).
Responsible Changed From-To: freebsd-fs->trasz I'll take it.
State Changed From-To: open->feedback In your example, user www has 'delete' permission for test3/file1, so he doesn't need write permission for test3/. Right?
The problem is that user1 is the owner of /tank/project1/test3/file1, but www can delete it eventhough www only have rx permission. Also notice touch -amct 191212121212 $d su -m www -c "rm $d/file1" ls -ld $d where I set the timestamp to 1912 for /tank/project1/test3, but when www deletes /tank/project1/test3/file1, the timestamp is updated on /tank/project1/test3, which www does not have permission to do. www should have been denied to delete /tank/project1/test3/file1 because www does not have permission to update the timestamp on the parent directory /tank/project1/test3
Wiadomo=B6=E6 napisana przez Sandra Schlichting w dniu 3 kwi 2013, o = godz. 15:50: > The following reply was made to PR kern/175101; it has been noted by = GNATS. >=20 > From: Sandra Schlichting <littlesandra88@gmail.com> > To: bug-followup@freebsd.org, Sandra Schlichting = <littlesandra88@gmail.com> > Cc: =20 > Subject: Re: kern/175101: [zfs] [nfs] ZFS NFSv4 ACL's allows user = without > perm to delete and update timestamp > Date: Wed, 3 Apr 2013 15:47:57 +0200 >=20 > The problem is that user1 is the owner of /tank/project1/test3/file1, > but www can delete it eventhough www only have rx permission. It has "rx" for the containing directory, but it also has "delete" permission on the file being removed; that's why removal is permitted. > Also notice >=20 > touch -amct 191212121212 $d > su -m www -c "rm $d/file1" > ls -ld $d >=20 > where I set the timestamp to 1912 for /tank/project1/test3, but when > www deletes /tank/project1/test3/file1, the timestamp is updated on > /tank/project1/test3, which www does not have permission to do. This is implicit - you don't need to be file owner to e.g. change modification time when you modify it. > www should have been denied to delete /tank/project1/test3/file1 > because www does not have permission to update the timestamp on the > parent directory /tank/project1/test3 See above. --=20 If you cut off my head, what would I say? Me and my head, or me and my = body?
State Changed From-To: feedback->closed Not a bug.