NetBSD Problem Report #57246
From mark@ecs.vuw.ac.nz Sun Feb 26 22:59:56 2023
Return-Path: <mark@ecs.vuw.ac.nz>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id AA5221A9239
for <gnats-bugs@gnats.NetBSD.org>; Sun, 26 Feb 2023 22:59:56 +0000 (UTC)
Message-Id: <202302262259.31QMxnit001798@turakirae.ecs.vuw.ac.nz>
Date: Mon, 27 Feb 2023 11:59:49 +1300 (NZDT)
From: mark@ecs.vuw.ac.nz
Reply-To: mark@ecs.vuw.ac.nz
To: gnats-bugs@NetBSD.org
Subject: NFS group permissions regression
X-Send-Pr-Version: 3.95
>Number: 57246
>Category: kern
>Synopsis: NFS group permissions regression
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: hannken
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Feb 26 23:00:00 +0000 2023
>Closed-Date: Tue Mar 07 08:45:35 +0000 2023
>Last-Modified: Tue Mar 07 08:45:35 +0000 2023
>Originator: Mark Davies
>Release: NetBSD 10.0_BETA
>Organization:
ECS, Victoria Uni. of Wellington, New Zealand.
>Environment:
System: NetBSD turakirae.ecs.vuw.ac.nz 10.0_BETA NetBSD 10.0_BETA (GENERIC) #1: Thu Jan 26 11:09:32 NZDT 2023 mark@turakirae.ecs.vuw.ac.nz:/local/SAVE/10_64.obj/src/work/10/src/sys/arch/amd64/compile/GENERIC amd64
Architecture: x86_64
Machine: amd64
>Description:
On a linux system, mounting from a NetBSD 10.0_BETA, files that should be writeable
over NFS due to group permissions fail, and
lose their current contents.
>How-To-Repeat:
On a linux system, mounting from a NetBSD 10.0_BETA
In an NFS mounted file system, create two files - one owned by you, the other
owned by someone else but with group permissions giving you write access. Try
copying first file to second. Get error and the second file is zeroed.
city-art% df -h .
Filesystem Size Used Avail Use% Mounted on
lido:/am/lido/home/mark 2.0T 1.1T 813G 58% /home/mark
city-art% groups mark
root src docker msor programmers tech ecs
city-art% ls -la
total 40
drwxr-xr-x 2 mark ecs 512 Feb 27 09:40 .
drwxr-x--x 324 mark ecs 27136 Feb 27 11:32 ..
-rw-rw-r-- 1 mark ecs 6 Feb 27 09:40 A
-rw-rw-r-- 1 www ecs 8 Feb 27 09:40 B
city-art% cp A B
cp: cannot create regular file 'B': Permission denied
city-art% ls -la
total 36
drwxr-xr-x 2 mark ecs 512 Feb 27 09:40 .
drwxr-x--x 324 mark ecs 27136 Feb 27 11:32 ..
-rw-rw-r-- 1 mark ecs 6 Feb 27 09:40 A
-rw-rw-r-- 1 www ecs 0 Feb 27 09:42 B
Doing this from NetBSD to NetBSD works
Doing this from linux to NetBSD 9.3_STABLE works
>Fix:
No idea, would love one
>Release-Note:
>Audit-Trail:
From: "J. Hannken-Illjes" <hannken@mailbox.org>
To: NetBSD GNATS <gnats-bugs@netbsd.org>
Cc:
Subject: Re: kern/57246: NFS group permissions regression
Date: Tue, 28 Feb 2023 15:36:30 +0100
This failure can be reduced to:
- Create a file xxx in a ffs file system, mode -rw-rw-r-- and
make sure you are not the owner but the group member.
- Try to touch this file (touch xxx) and get "Permission denied".
Operation ufs_setattr() runs genfs_can_chtimes() ->
VOP_ACCESSX( VWRITE_ATTRIBUTES ) ->
ufs_accessx() ->
vfs_unixify_accmode(&accmode),
this translates VWRITE_ATTRIBUTES into VADMIN and the access
check fails as we are not the owner.
vfs_unixify_accmode() definitely needs work ...
--
J. Hannken-Illjes - hannken@mailbox.org
From: mlelstv@serpens.de (Michael van Elst)
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/57246: NFS group permissions regression
Date: Tue, 28 Feb 2023 15:59:05 -0000 (UTC)
hannken@mailbox.org ("J. Hannken-Illjes") writes:
>The following reply was made to PR kern/57246; it has been noted by GNATS.
>From: "J. Hannken-Illjes" <hannken@mailbox.org>
>To: NetBSD GNATS <gnats-bugs@netbsd.org>
>Cc:
>Subject: Re: kern/57246: NFS group permissions regression
>Date: Tue, 28 Feb 2023 15:36:30 +0100
> This failure can be reduced to:
>
> - Create a file xxx in a ffs file system, mode -rw-rw-r-- and
> make sure you are not the owner but the group member.
>
> - Try to touch this file (touch xxx) and get "Permission denied".
>
> Operation ufs_setattr() runs genfs_can_chtimes() ->
> VOP_ACCESSX( VWRITE_ATTRIBUTES ) ->
> ufs_accessx() ->
> vfs_unixify_accmode(&accmode),
> this translates VWRITE_ATTRIBUTES into VADMIN and the access
> check fails as we are not the owner.
>
> vfs_unixify_accmode() definitely needs work ...
According to utimes(2) that's even correct. Only futimes() / futimens()
allow setting the time by someone who is neither owner nor super-user (but
has write permission) and touch should then call open() + futimens().
From: "Juergen Hannken-Illjes" <hannken@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/57246 CVS commit: src/sys/miscfs/genfs
Date: Fri, 3 Mar 2023 10:02:51 +0000
Module Name: src
Committed By: hannken
Date: Fri Mar 3 10:02:51 UTC 2023
Modified Files:
src/sys/miscfs/genfs: genfs_vnops.c
Log Message:
Fix genfs_can_chtimes() to also handle the condition:
If the time pointer is null, then write permission
on the file is also sufficient.
From FreeBSD.
Should fix PR kern/57246 "NFS group permissions regression"
To generate a diff of this commit:
cvs rdiff -u -r1.219 -r1.220 src/sys/miscfs/genfs/genfs_vnops.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Mark Davies <mark@ecs.vuw.ac.nz>
To: gnats-bugs@netbsd.org, kern-bug-people@netbsd.org, gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org
Cc:
Subject: Re: PR/57246 CVS commit: src/sys/miscfs/genfs
Date: Sun, 5 Mar 2023 13:44:04 +1300
On 3/03/23 23:05, Juergen Hannken-Illjes wrote:
> Modified Files:
> src/sys/miscfs/genfs: genfs_vnops.c
>
> Log Message:
> Fix genfs_can_chtimes() to also handle the condition:
>
> If the time pointer is null, then write permission
> on the file is also sufficient.
>
> From FreeBSD.
>
> Should fix PR kern/57246 "NFS group permissions regression"
Seem to fix the touching the file on the local machine issue that
Juergen noted, but not copying files over NFS from linux - that still fails.
cheers
mark
From: Mark Davies <mark@ecs.vuw.ac.nz>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/57246: NFS group permissions regression
Date: Sun, 5 Mar 2023 13:49:54 +1300
Note that
https://mail-index.netbsd.org/tech-kern/2023/02/28/msg028743.html
has tcpdump traces of the issue.
From: "J. Hannken-Illjes" <hannken@mailbox.org>
To: NetBSD GNATS <gnats-bugs@netbsd.org>
Cc:
Subject: Re: PR/57246 CVS commit: src/sys/miscfs/genfs
Date: Sun, 5 Mar 2023 11:14:36 +0100
--Apple-Mail=_B3D2EC19-0C54-4670-8962-899E5B1A4E61
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=us-ascii
Expanding the SETATTR call from linux-netbsd10.tcpdump gives:
Network File System, SETATTR Call FH: 0xf9f94117
[Program Version: 3]
[V3 Procedure: SETATTR (2)]
object
length: 28
[hash (CRC-32): 0xf9f94117]
FileHandle: 06a800008b07000010000000aa26842502cd6f050000000000000000
new_attributes
mode: no value
set_it: no value (0)
uid: no value
set_it: no value (0)
gid: no value
set_it: no value (0)
size: value follows
set_it: value follows (1)
size: 0
atime: don't change
set_it: don't change (0)
mtime: set to server time
set_it: set to server time (1)
guard: no value
check: no value (0)
It has "mtime: set to server time" which is exactly the
test I fixed in NetBSD-current.
I tried it here with RHEL8 as Linux and NetBSD-current, get
the same SETATTR call and it fails before my patch and
succeeds after it.
Are you really sure your NetBSD kernel has this change
(genfs_vnops.c rev. 1.220)? The NetBSD-10 tree is not
updated yet, ticket #111 is waiting.
--
J. Hannken-Illjes - hannken@mailbox.org
--Apple-Mail=_B3D2EC19-0C54-4670-8962-899E5B1A4E61
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEyLVMkhxs8fxixv+2IOocBq6p/bMFAmQEa4wACgkQIOocBq6p
/bP/CA/8C/qNI9p0jfH7FU2oSm+60hMTVQSQugriKVr8Awz2ZdTlspa2rJPGwVMl
InHfbu4vpr1EDGpBCGw8JO4ZGpcvCN9mJSIAQ0DKgUIEy92BoH8AdMGpNRZybI9K
8qUOEGOgWXofjzp5z8u2pkrH6lnPqzNcMWFE7e1BEppM7i1KIH27xXKIUZXZMIaU
0PIusuWnv7nKt/hUG7eFuDKQl4lyBx90wmmFI3Sq+vNFseXTWnsVuQRf3NMjmhGA
pS/fIB2wYM4L8IxsB81/3dExM4QCskJr5TDc1hlD04NtKMiRjAvOJAT7epziyO7J
EjNPbO/puBIfnlDoHjuhOWR9TTBZbkn6jYBUuY4Jsp79XMo40Jj0WuxBANikLAFX
Y4uu5ntwNWFCQ8Ao2U9w8jocdLOmub+WBYDFaG0totcb+nGCOZffKoAgXxUsnlq/
iN1q+zRDRAR+mDdWb+ehH6ruNJacbVebFlIusR7mZUnsWtjtAVTd8v6cBHm77P9i
5YRGOOWcJCoc0VYrrmBL6w1jp++oRrOq7OQFZrfGGbYGND/ATKUx/+os3Td9aOMv
HP+xQoYxaSn/fiCS3/wA3iVeMnLsmFpY8zgVQBBDdzXtTzOw9xP9HKNmifqrLkAX
bJ/S57NVO5kIPGKv6CCxT1a21C8py6MHrbcWYwo5sepL8rELJF4=
=J24q
-----END PGP SIGNATURE-----
--Apple-Mail=_B3D2EC19-0C54-4670-8962-899E5B1A4E61--
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/57246 CVS commit: [netbsd-10] src/sys/miscfs/genfs
Date: Sun, 5 Mar 2023 14:34:59 +0000
Module Name: src
Committed By: martin
Date: Sun Mar 5 14:34:59 UTC 2023
Modified Files:
src/sys/miscfs/genfs [netbsd-10]: genfs_vnops.c
Log Message:
Pull up following revision(s) (requested by hannken in ticket #111):
sys/miscfs/genfs/genfs_vnops.c: revision 1.220
Fix genfs_can_chtimes() to also handle the condition:
If the time pointer is null, then write permission
on the file is also sufficient.
From FreeBSD.
Should fix PR kern/57246 "NFS group permissions regression"
To generate a diff of this commit:
cvs rdiff -u -r1.219 -r1.219.4.1 src/sys/miscfs/genfs/genfs_vnops.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Mark Davies <mark@ecs.vuw.ac.nz>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: PR/57246 CVS commit: src/sys/miscfs/genfs
Date: Mon, 6 Mar 2023 12:50:44 +1300
On 5/03/23 23:15, J. Hannken-Illjes wrote:
> Are you really sure your NetBSD kernel has this change
> (genfs_vnops.c rev. 1.220)? The NetBSD-10 tree is not
> updated yet, ticket #111 is waiting.
Odd. So I updated my 10_BETA tree to yesterday, then applied your 1.220
to it, rebuild and installed that on a test system. Reproduced the test
setup and tried it and the cp still failed. Pretty sure that the patch
is in place as the "touch" on the local filesystem now works where it
didn't before.
cheers
mark
From: Mark Davies <mark@ecs.vuw.ac.nz>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: PR/57246 CVS commit: src/sys/miscfs/genfs
Date: Tue, 7 Mar 2023 13:02:58 +1300
On 6/03/23 12:55, Mark Davies wrote:
> Odd. So I updated my 10_BETA tree to yesterday, then applied your 1.220
> to it, rebuild and installed that on a test system. Reproduced the test
> setup and tried it and the cp still failed. Pretty sure that the patch
> is in place as the "touch" on the local filesystem now works where it
> didn't before.
Turns out linux was caching the failure result from the setattr so
wasn't actually even trying to do it on the updated system.
If I test with a pair of files that it hadn't previously cached, or
touch the original files so that linux thinks they have changed then it
works.
So its all good and this ticket can be closed.
cheers
mark
Responsible-Changed-From-To: kern-bug-people->hannken
Responsible-Changed-By: hannken@NetBSD.org
Responsible-Changed-When: Tue, 07 Mar 2023 08:45:35 +0000
Responsible-Changed-Why:
Take, committed a fix.
State-Changed-From-To: open->closed
State-Changed-By: hannken@NetBSD.org
State-Changed-When: Tue, 07 Mar 2023 08:45:35 +0000
State-Changed-Why:
Fix committed and pulled up.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2023
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.