[illumos-Developer] NFSv4 exclusive open breaks ACL's
Paul B. Henson
henson at acm.org
Mon Jul 18 19:15:44 PDT 2011
The current implementation of exclusive open under NFS is somewhat
broken in regards to ACLs; the initial create does not specify a mode,
the mode is specified after the creation in a separate setattr.
Unfortunately, this results in the initial creation without a mode
inheriting the correct ACL, and the subsequent setattr effectively
breaking it like a chmod :(.
This has been known about for a *long* time, Sun CR#6215088 was opened
in 2005 describing the issue with UFS ACL's, but it has never been
fixed. A new operation is in the NFSv4.1 spec which allows specifying
attributes during an exclusive open (why didn't they fix this in NFSv4?
The problem already existed <sigh>) and will resolve this, once NFSv4.1
is generally available.
It seems in theory a workaround should be able to be implemented for
NFSv4 on the server side. If the server can correlate the initial
exclusive open call with the subsequent setattr, in the case where the
file inherited an ACL, it can simply ignore the setattr, allowing the
file to correctly maintain the original inherited ACL. I must confess I
don't currently know enough about solaris nfs server internals to know
how difficult it would be to get reality to line up with theory ;). I
had an open SR for a while with Oracle and tried to engage in a
technical discussion, but never got close enough to an actual engineer
to be able to do so :(.
What is the prognosis for NFSv4.1 support in illumos? Oracle closed my
support ticket with the resolution of "fixed by NFSv4.1" but refused to
estimate when that fix might actually be available in Solaris. I don't
know what if any NFSv4.1 source code was in OpenSolaris before Oracle
locked down releasing it. Presumably at some point Nexenta intends to
have it available, but I don't know what priority is placed on it or if
there's any active development underway.
As far as NFSv4, are there any solaris nfs server experts around that
might be able to comment on the feasibility of some kind of server
workaround to keep exclusive open from horribly breaking ACL's?
Personally, I consider this a serious security issue, as a file which
should be been locked down tight based on the configured inherited ACL
might well end up world readable 8-/, but Oracle didn't buy that...
Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst | henson at csupomona.edu
California State Polytechnic University | Pomona CA 91768
More information about the Developer