Incorrect Access Control List (ACL) Inheritance on Linux systems running Veritas File System (VxFS)
Article ID: 100022621
Updated On:
Description
Error Message
# getfacl bad/rofile....
user::r-- <<< incorrectly inherited
user:john:rwx #effective:r--
...
group::rwx #effective:r--
group:admin:rwx #effective:r--
....
mask::r-- <<< incorrectly inherited
other::r--
Resolution
Due to Etrack incident 1891400, the ACL of a newly created file may not be inherited correctly from the parent directory.
Procedure to reproduce the problem
==========================
1. Make a new directory and assign the ACL entries, including default ACL entries.
# mkdirbad
# setfacl -M ACL bad
# getfacl bad
#file: bad
# owner: root
# group:root
user::rwx
user:john:rwx
user:mary:rwx
group::rwx
group:admin:rwx
group:sales:rwx
mask::rwx
other::r-x
default:user::rwx <<< new files created should have default user permission of rwx
default:user:john:rwx
default:user:mary:rwx
default:group::rwx
default:group:admin:rwx
default:group:sales:rwx
default:mask::rwx <<< New files created should have a default mask of rwx
default:other::r-x
If the first file created in that directory is created with permission 0444 (-r--r--r---), then this may trigger the bug.
The following is a C program to create a file with permission0444.
# cat creat444.c
#include
#include
main()
{
int fd;
if ((fd=open("bad/rofile", O_CREAT|O_WRONLY, 0444)) == -1) /* 0444 is cached incorrectly */
{
fprintf(stderr, "open()failed\n");
}
close(fd);
}
#./creat444
# ls -l bad
total 0
-r--r--r--+ 1 root root 0 Nov 1120:13 rofile
# getfacl bad/rofile
# file: bad/rofile
# owner:root
# group:root
user::r-- <<
user:mary:rwx #effective:r--
group::rwx #effective:r--
group:admin:rwx #effective:r--
group:sales:rwx #effective:r--
mask::r--
other::r--
Note that the first file is created with the correct permissions as specified in the open(2) system call.
Due to the etrack incident, this permission (0444 as in the previous C program) could be incorrectly cached in the VxFS system. (The problem may not occur all the time because there are cases where the cached permission can be reset. It depends on the actual operations performed on the directory.)
If the bug is hit, this causes all subsequent files created in the affected directory to use the incorrectly cached permission.
Subsequent creation of files may use the incorrectly cached permission mode.
# touch bad/badfile
# ls -lbad/badfile
-r--r--r--+ 1 root root 0 Nov 11 20:14 bad/badfile
#getfacl bad/badfile
# file: bad/badfile
# owner: root
# group:root
user::r-- <<< thisfile is created with the incorrectly cached user permission
user:john:rwx #effective:r--
user:mary:rwx #effective:r--
group::rwx #effective:r--
group:admin:rwx #effective:r--
group:sales:rwx #effective:r--
mask::r-- <<< incorrect mask
other::r--
The fix for the Etrack incident is first provided in Linux VxFS 5.0MP3RP3HF8 and is also included in VxFS5.0MP4.
Before the required fix is applied, a workaround for the problem is to create the first file in the directory with a more relaxed permission.
Workaround for the problem
=====================
Create a new directory with the same ACLas above.
# mkdir good
# setfacl -M ACL good
# getfaclgood
# file: good
# owner: root
# group:root
user::rwx
user:john:rwx
user:mary:rwx
group::rwx
group:admin:rwx
group:sales:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:john:rwx
default:user:mary:rwx
default:group::rwx
default:group:admin:rwx
default:group:sales:rwx
default:mask::rwx
default:other::r-x
The following is C program to create a file with permission 0666(-rwxrwxrwx).
# cat creat666.c
#include
#include
main()
{
int fd;
if ((fd=open("good/rwfile", O_CREAT|O_WRONLY, 0666)) == -1) /* mode0666 */
{
fprintf(stderr, "open()failed\n");
}
close(fd);
}
#./creat666
(The "touch" command can also be used to create such a file.
# strace /bin/touch hello
.....
open("hello",O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK, 0666) = 0
)
The first file is always created with the correct permissions as specified in the open(2) systemcall.
# ls -l good
total 0
-rw-rw-r--+ 1 root root 0 Nov 11 20:17rwfile
# getfacl good/rwfile
# file: good/rwfile
# owner: root
#group: root
user::rw- <<< userpermission as specified in the open(2)system
user:john:rwx #effective:rw-
user:mary:rwx #effective:rw-
group::rwx #effective:rw-
group:admin:rwx #effective:rw-
group:sales:rwx #effective:rw-
mask::rw-
other::r--
All subsequent file will use the relaxed cached permission and will not interfere ACL inherited from the default ACL of the parent directory.
# touchgood/goodfile
# ls -l good/goodfile
-rw-rw-r--+ 1 root root 0 Nov 1120:17 good/goodfile
# getfacl good/goodfile
# file: good/goodfile
#owner: root
# group:root
user::rw- <<
user:mary:rwx #effective:rw-
group::rwx #effective:rw-
group:admin:rwx #effective:rw-
group:sales:rwx #effective:rw-
mask::rw- <<
Procedure to reproduce the problem
==========================
1. Make a new directory and assign the ACL entries, including default ACL entries.
# mkdirbad
# setfacl -M ACL bad
# getfacl bad
#file: bad
# owner: root
# group:root
user::rwx
user:john:rwx
user:mary:rwx
group::rwx
group:admin:rwx
group:sales:rwx
mask::rwx
other::r-x
default:user::rwx <<< new files created should have default user permission of rwx
default:user:john:rwx
default:user:mary:rwx
default:group::rwx
default:group:admin:rwx
default:group:sales:rwx
default:mask::rwx <<< New files created should have a default mask of rwx
default:other::r-x
If the first file created in that directory is created with permission 0444 (-r--r--r---), then this may trigger the bug.
The following is a C program to create a file with permission0444.
# cat creat444.c
#include
#include
main()
{
int fd;
if ((fd=open("bad/rofile", O_CREAT|O_WRONLY, 0444)) == -1) /* 0444 is cached incorrectly */
{
fprintf(stderr, "open()failed\n");
}
close(fd);
}
#./creat444
# ls -l bad
total 0
-r--r--r--+ 1 root root 0 Nov 1120:13 rofile
# getfacl bad/rofile
# file: bad/rofile
# owner:root
# group:root
user::r-- <<
user:mary:rwx #effective:r--
group::rwx #effective:r--
group:admin:rwx #effective:r--
group:sales:rwx #effective:r--
mask::r--
other::r--
Note that the first file is created with the correct permissions as specified in the open(2) system call.
Due to the etrack incident, this permission (0444 as in the previous C program) could be incorrectly cached in the VxFS system. (The problem may not occur all the time because there are cases where the cached permission can be reset. It depends on the actual operations performed on the directory.)
If the bug is hit, this causes all subsequent files created in the affected directory to use the incorrectly cached permission.
Subsequent creation of files may use the incorrectly cached permission mode.
# touch bad/badfile
# ls -lbad/badfile
-r--r--r--+ 1 root root 0 Nov 11 20:14 bad/badfile
#getfacl bad/badfile
# file: bad/badfile
# owner: root
# group:root
user::r-- <<< thisfile is created with the incorrectly cached user permission
user:john:rwx #effective:r--
user:mary:rwx #effective:r--
group::rwx #effective:r--
group:admin:rwx #effective:r--
group:sales:rwx #effective:r--
mask::r-- <<< incorrect mask
other::r--
The fix for the Etrack incident is first provided in Linux VxFS 5.0MP3RP3HF8 and is also included in VxFS5.0MP4.
Before the required fix is applied, a workaround for the problem is to create the first file in the directory with a more relaxed permission.
Workaround for the problem
=====================
Create a new directory with the same ACLas above.
# mkdir good
# setfacl -M ACL good
# getfaclgood
# file: good
# owner: root
# group:root
user::rwx
user:john:rwx
user:mary:rwx
group::rwx
group:admin:rwx
group:sales:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:john:rwx
default:user:mary:rwx
default:group::rwx
default:group:admin:rwx
default:group:sales:rwx
default:mask::rwx
default:other::r-x
The following is C program to create a file with permission 0666(-rwxrwxrwx).
# cat creat666.c
#include
#include
main()
{
int fd;
if ((fd=open("good/rwfile", O_CREAT|O_WRONLY, 0666)) == -1) /* mode0666 */
{
fprintf(stderr, "open()failed\n");
}
close(fd);
}
#./creat666
(The "touch" command can also be used to create such a file.
# strace /bin/touch hello
.....
open("hello",O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK, 0666) = 0
)
The first file is always created with the correct permissions as specified in the open(2) systemcall.
# ls -l good
total 0
-rw-rw-r--+ 1 root root 0 Nov 11 20:17rwfile
# getfacl good/rwfile
# file: good/rwfile
# owner: root
#group: root
user::rw- <<< userpermission as specified in the open(2)system
user:john:rwx #effective:rw-
user:mary:rwx #effective:rw-
group::rwx #effective:rw-
group:admin:rwx #effective:rw-
group:sales:rwx #effective:rw-
mask::rw-
other::r--
All subsequent file will use the relaxed cached permission and will not interfere ACL inherited from the default ACL of the parent directory.
# touchgood/goodfile
# ls -l good/goodfile
-rw-rw-r--+ 1 root root 0 Nov 1120:17 good/goodfile
# getfacl good/goodfile
# file: good/goodfile
#owner: root
# group:root
user::rw- <<
user:mary:rwx #effective:rw-
group::rwx #effective:rw-
group:admin:rwx #effective:rw-
group:sales:rwx #effective:rw-
mask::rw- <<
Issue/Introduction
Incorrect Access Control List (ACL) Inheritance on Linux systems running Veritas File System (VxFS)
Was this article helpful?
Yes
No
Powered by
