Bug 228538 - [permissions] effective allow/deny ACLs incorrectly evaluated in some cases [reproducible]
Summary: [permissions] effective allow/deny ACLs incorrectly evaluated in some cases [...
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 11.1-RELEASE
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-05-27 10:21 UTC by Stilez
Modified: 2018-05-31 13:20 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stilez 2018-05-27 10:21:18 UTC
I've managed to get reproducible behaviour on FreeBSD 11.1-REL, showing that:

1) an NFSv4 ACE that shouldn't affect the access granted to an account, does seem to affect it; and 

2) giving the account "ra" instead or "r" rights bypasses the account's "read directory content" denied access, even though "a" shouldn't be relevant to (or change) the affected access.

Test output follows below. 

I've interspersed commands/output from two parallel sessions, one (#) privileged, the other (%) unprivileged. 

Comments are in ALL-CAPS.


--------------

COMMENT: CHECK MOUNT OPTIONS ARE NORMAL, AND SET UP A CLEAN TEST DIR + CONTENTS

# mount | grep testpool
testpool on /mnt/testpool (zfs, local, noatime, nfsv4acls)
testpool/User_files on /mnt/testpool/User_files (zfs, local, noatime, nfsv4acls)

# mkdir /mnt/testpool/test5; mkdir /mnt/testpool/test5/subdir; touch /mnt/testpool/test5/subfile; ls -1F /mnt/testpool/test5
subfile
subdir/

COMMENT: CHECK OUR DIR IS READABLE WITH A NEWLY CREATED UNPRIVILEGED ACCOUNT IN ANOTHER SSH WINDOW:

% ls /mnt/testpool/test5
subdir  subfile

COMMENT: QUICKLY SET UP SOME ACLS TO EXHIBIT THE BEHAVIOUR:
COMMENT: THESE ACLS SHOULD ALLOW THE UNPRIVILEGED ACCOUNT TO READ THE DIR BUT NOTHING ELSE (AND THEY DO - SO FAR IT'S OK)

# setfacl -a 0 everyone@:r::allow,owner@::allow,group@::allow,everyone@::allow /mnt/testpool/test5 ; \
  setfacl -x 4 /mnt/testpool/test5;  setfacl -x 4 /mnt/testpool/test5;  setfacl -x 4 /mnt/testpool/test5; getfacl /mnt/testpool/test5
# file: /mnt/testpool/test5
# owner: root
# group: wheel
everyone@:r-------------:-------:allow
owner@:--------------:-------:allow
group@:--------------:-------:allow
everyone@:--------------:-------:allow

COMMENT: CHECK THAT OUR UNPRIVILEGED ACCOUNT CAN READ THE DIR AS EXPECTED, AND ONLY NEEDS "r" TO DO SO:

% ls /mnt/testpool/test5
subdir  subfile

COMMENT: SO FAR ALL IS OK.
COMMENT: NOW ADD A SINGLE ACE THAT SHOULDN'T AFFECT OUR UNPRIVILEGED ACCOUNT AT ALL
COMMENT: NOTHING SHOULD HAVE CHANGED FOR OUR UNPRIVILEGED ACCOUNT, BUT IT NOW CANNOT READ THE DIR.

# setfacl -a 1 group:nogroup:rwxpDda-R-c---:fd-----:allow /mnt/testpool/test5 ; getfacl /mnt/testpool/test5
# file: /mnt/testpool/test5
# owner: root
# group: wheel
everyone@:r-------------:-------:allow
group:nogroup:rwxpDda-R-c---:fd-----:allow
owner@:--------------:-------:allow
group@:--------------:-------:allow
everyone@:--------------:-------:allow

% ls /mnt/testpool/test5
ls: /mnt/testpool/test5: Permission denied

COMMENT: LET'S GIVE THE UNPRIVILEGED ACCOUNT 'ra' INSTEAD OF 'r'. 
COMMENT: WITH "ra" IT CAN READ THE DIR AGAIN:

# setfacl -a 0 everyone@:ra::allow /mnt/testpool/test5 ; getfacl /mnt/testpool/test5
# file: /mnt/testpool/test5
# owner: root
# group: wheel
everyone@:r-----a-------:-------:allow
everyone@:r-------------:-------:allow
group:nogroup:rwxpDda-R-c---:fd-----:allow
owner@:--------------:-------:allow
group@:--------------:-------:allow
everyone@:--------------:-------:allow

% ls /mnt/testpool/test5
subdir  subfile

COMMENT: CONFIRM THE "a" WAS NECESSARY, BY REMOVING IT. 
COMMENT: THE UNPRIVILEGED ACCOUNT CAN NOT READ THE DIR WITHOUT "ra":

# setfacl -x 0 /mnt/testpool/test5 ; getfacl /mnt/testpool/test5
# file: /mnt/testpool/test5
# owner: root
# group: wheel
everyone@:r-------------:-------:allow
group:nogroup:rwxpDda-R-c---:fd-----:allow
owner@:--------------:-------:allow
group@:--------------:-------:allow
everyone@:--------------:-------:allow

% ls /mnt/testpool/test5
ls: /mnt/testpool/test5: Permission denied