[illumos-Developer] NFSv4 exclusive open breaks ACL's

Paul B. Henson henson at acm.org
Mon Jul 18 19:15:44 PDT 2011 

The current implementation of exclusive open under NFS is somewhat 
broken in regards to ACLs; the initial create does not specify a mode, 
the mode is specified after the creation in a separate setattr. 
Unfortunately, this results in the initial creation without a mode 
inheriting the correct ACL, and the subsequent setattr effectively 
breaking it like a chmod :(.

This has been known about for a *long* time, Sun CR#6215088 was opened 
in 2005 describing the issue with UFS ACL's, but it has never been 
fixed. A new operation is in the NFSv4.1 spec which allows specifying 
attributes during an exclusive open (why didn't they fix this in NFSv4? 
The problem already existed <sigh>) and will resolve this, once NFSv4.1 
is generally available.

It seems in theory a workaround should be able to be implemented for 
NFSv4 on the server side. If the server can correlate the initial 
exclusive open call with the subsequent setattr, in the case where the 
file inherited an ACL, it can simply ignore the setattr, allowing the 
file to correctly maintain the original inherited ACL. I must confess I 
don't currently know enough about solaris nfs server internals to know 
how difficult it would be to get reality to line up with theory ;). I 
had an open SR for a while with Oracle and tried to engage in a 
technical discussion, but never got close enough to an actual engineer 
to be able to do so :(.

What is the prognosis for NFSv4.1 support in illumos? Oracle closed my 
support ticket with the resolution of "fixed by NFSv4.1" but refused to 
estimate when that fix might actually be available in Solaris. I don't 
know what if any NFSv4.1 source code was in OpenSolaris before Oracle 
locked down releasing it. Presumably at some point Nexenta intends to 
have it available, but I don't know what priority is placed on it or if 
there's any active development underway.

As far as NFSv4, are there any solaris nfs server experts around that 
might be able to comment on the feasibility of some kind of server 
workaround to keep exclusive open from horribly breaking ACL's? 
Personally, I consider this a serious security issue, as a file which 
should be been locked down tight based on the configured inherited ACL 
might well end up world readable 8-/, but Oracle didn't buy that...

Thanks...


-- 
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  henson at csupomona.edu
California State Polytechnic University  |  Pomona CA 91768

More information about the Developer mailing list