Project

General

Profile

Bug #5549

NFS Server returns inconsistent information for ACLPROC_GETACL request

Added by Alexander Kolbasov about 5 years ago. Updated about 5 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
nfs - NFS server and client
Start date:
2015-01-20
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage

Description

The bug is in this code in acl3_getacl():

    if (!(args->mask & NA_ACL)) {
        if (resp->resok.acl.vsa_aclcnt > 0 &&
            resp->resok.acl.vsa_aclentp != NULL) {
            kmem_free((caddr_t)resp->resok.acl.vsa_aclentp,
                resp->resok.acl.vsa_aclcnt * sizeof (aclent_t));
        }
        resp->resok.acl.vsa_aclentp = NULL;
    }

The problem is that no one sets NA_ACL. This is probably remains of some older code. Same thing for NA_DFACL.

There are file system access control mask bits defined in node.h:

/* vsa_mask values */
#define    VSA_ACL            0x0001
#define    VSA_ACLCNT        0x0002
#define    VSA_DFACL        0x0004
#define    VSA_DFACLCNT        0x0008
#define    VSA_ACE            0x0010
#define    VSA_ACECNT        0x0020
#define    VSA_ACE_ALLTYPES    0x0040
#define    VSA_ACE_ACLFLAGS    0x0080    /* get/set ACE ACL flags */

and pretty much everyone uses them. There are also flags defined in nfs_al.h:

#define    NA_ACL        0x1
#define    NA_ACLCNT    0x2
#define    NA_DFACL    0x4
#define    NA_DFACLCNT    0x8

As you can see, they correspond to the above. At some point apparently code was converted to VSA_ masks but alc._getacl() and acl2_getacl() were left behind.

The actual problem is that the acl3_getacl() and acl2_getacl() wasn't updated for ACE style access control.


Related issues

Related to illumos gate - Bug #5548: Attempt to read ACLs from Illumos NFS client is toxicNew2015-01-20

Actions

History

#1

Updated by Marcel Telka about 5 years ago

  • Category set to nfs - NFS server and client

Also available in: Atom PDF