2011-07-26 14:43:49

by Robert Marcano

[permalink] [raw]
Subject: NFSv4 / POSIX ACL mapping bug?

Hi, This question is probably too simple for this nfs developer list,
but I am intrigued to know if this is a bug or not, I do not find any
other reference to anyone with this problem

Ineed some help clarifying this issue in order to know if this is a bug
or limits of the NFSv4 / POSIX ACL mapping before reporting it

Creating a directory on the server with the following POSIX ACLs, rwx
for the group "sharedgroup" and same defaults:

############################################################
# file: directory
# owner: root
# group: root
user::rwx
group::r-x
group:sharedgroup:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:sharedgroup:rwx
default:mask::rwx
default:other::---
############################################################

Creating files with the same user with umask 022 on the server an on the
NFS client, the files do not get the same POSIX ACL mask:

############################################################
# file: client
# owner: test
# group: testgroup
user::rw-
group::r-x #effective:r--
group:sharedgroup:rwx #effective:r--
mask::r--
other::r--

# file: server
# owner: test
# group: testgroup
user::rw-
group::r-x #effective:r--
group:sharedgroup:rwx #effective:rw-
mask::rw-
other::r--
############################################################

Is this normal or a bug?, My interpretation is that even that the
mapping of the ACLs is not 100% perfect this simple example should not
be a problem. Is it impossible using NFS to create a shared directory
for a group of users?

Thanks in advance


2011-07-27 16:17:18

by Robert Marcano

[permalink] [raw]
Subject: Re: NFSv4 / POSIX ACL mapping bug?

On 07/27/2011 11:17 AM, J. Bruce Fields wrote:
> On Tue, Jul 26, 2011 at 10:13:44AM -0430, Robert Marcano wrote:
...
>> Is this normal or a bug?, My interpretation is that even that the
>> mapping of the ACLs is not 100% perfect this simple example should
>> not be a problem. Is it impossible using NFS to create a shared
>> directory for a group of users?
>
> Without looking at your example carefully, it sounds like the same
> problem as discussed here:
>
> http://marc.info/?t=123739823200003&r=1&w=2

Thanks, exactly the same problem, current user umask getting in the way
of ACL inheritance, looks like the answers is that this is currently not
possible because the umask is applied client side and the NFSv4 protocol
does not help to send that info to the server. No workaround available
(mount option or something like that)

2011-07-26 18:33:45

by Andy Adamson

[permalink] [raw]
Subject: Re: NFSv4 / POSIX ACL mapping bug?

Hi

Which client, which server (distro and uname -a output) did you use? Also, what commands (setfacl,getfacl? nfs4_setfacl, nfs4_getfacl ? plus version) and parameters did you use?

-->Andy
On Jul 26, 2011, at 10:43 AM, Robert Marcano wrote:

> Hi, This question is probably too simple for this nfs developer list, but I am intrigued to know if this is a bug or not, I do not find any other reference to anyone with this problem
>
> Ineed some help clarifying this issue in order to know if this is a bug or limits of the NFSv4 / POSIX ACL mapping before reporting it
>
> Creating a directory on the server with the following POSIX ACLs, rwx for the group "sharedgroup" and same defaults:
>
> ############################################################
> # file: directory
> # owner: root
> # group: root
> user::rwx
> group::r-x
> group:sharedgroup:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:group::r-x
> default:group:sharedgroup:rwx
> default:mask::rwx
> default:other::---
> ############################################################
>
> Creating files with the same user with umask 022 on the server an on the NFS client, the files do not get the same POSIX ACL mask:
>
> ############################################################
> # file: client
> # owner: test
> # group: testgroup
> user::rw-
> group::r-x #effective:r--
> group:sharedgroup:rwx #effective:r--
> mask::r--
> other::r--
>
> # file: server
> # owner: test
> # group: testgroup
> user::rw-
> group::r-x #effective:r--
> group:sharedgroup:rwx #effective:rw-
> mask::rw-
> other::r--
> ############################################################
>
> Is this normal or a bug?, My interpretation is that even that the mapping of the ACLs is not 100% perfect this simple example should not be a problem. Is it impossible using NFS to create a shared directory for a group of users?
>
> Thanks in advance
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html


2011-07-26 19:33:57

by Robert Marcano

[permalink] [raw]
Subject: Re: NFSv4 / POSIX ACL mapping bug?

On 07/26/2011 02:59 PM, Robert Marcano wrote:
> On 07/26/2011 02:03 PM, Andy Adamson wrote:
>> Hi
>>
>> Which client, which server (distro and uname -a output) did you use?
>> Also, what commands (setfacl,getfacl? nfs4_setfacl, nfs4_getfacl ?
>> plus version) and parameters did you use?

Adding missing versions on the CentOS NFS Server

setfacl 2.2.39
getfacl 2.2.39


2011-07-28 04:22:24

by Vlad

[permalink] [raw]
Subject: Re: NFSv4 / POSIX ACL mapping bug?

Just because of this problem we're (still) using NFS3 with kerberos...

On Wed, 2011-07-27 at 11:47 -0430, Robert Marcano wrote:
> On 07/27/2011 11:17 AM, J. Bruce Fields wrote:
> > On Tue, Jul 26, 2011 at 10:13:44AM -0430, Robert Marcano wrote:
> ...
> >> Is this normal or a bug?, My interpretation is that even that the
> >> mapping of the ACLs is not 100% perfect this simple example should
> >> not be a problem. Is it impossible using NFS to create a shared
> >> directory for a group of users?
> >
> > Without looking at your example carefully, it sounds like the same
> > problem as discussed here:
> >
> > http://marc.info/?t=123739823200003&r=1&w=2
>
> Thanks, exactly the same problem, current user umask getting in the way
> of ACL inheritance, looks like the answers is that this is currently not
> possible because the umask is applied client side and the NFSv4 protocol
> does not help to send that info to the server. No workaround available
> (mount option or something like that)
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html


2011-07-27 15:18:09

by Robert Marcano

[permalink] [raw]
Subject: Re: NFSv4 / POSIX ACL mapping bug? (more tests)

On 07/26/2011 02:03 PM, Andy Adamson wrote:
> Hi
>
> Which client, which server (distro and uname -a output) did you use? Also, what commands (setfacl,getfacl? nfs4_setfacl, nfs4_getfacl ? plus version) and parameters did you use?
>

Now using nfs4 acl tools

nfs4_getfacl 0.3.3
nfs4_setfacl 0.3.3

======================================
NFS client (Fedora 15)
======================================

$ nfs4_getfacl directory/
A::OWNER@:rwaDxtTcCy
A::GROUP@:rxtcy
A::EVERYONE@:rxtcy

$ nfs4_setfacl -a A:gdf:sharedgroup@localdomain:rwaDxtcy directory/

$ nfs4_getfacl directory/
A::OWNER@:rwaDxtTcCy
A::GROUP@:rxtcy
A:g:sharedgroup@localdomain:rwaDxtcy
A::EVERYONE@:rxtcy
D:fdi:OWNER@:rwaDx
A:fdi:OWNER@:tTcCy
A:fdi:GROUP@:tcy
A:fdig:sharedgroup@localdomain:rwaDxtcy
A:fdi:EVERYONE@:tcy

$ touch directory/client

$ nfs4_getfacl directory/client
D::OWNER@:r
A::OWNER@:tTcCy
A::GROUP@:tcy
A:g:sharedgroup@localdomain:rtcy
A::EVERYONE@:tcy

Inheritance was added for the group sharedgroup to the directory, but
the file does not gets w permission when the file is created, the NFS
ACL <--> POSIX ACL Mapping on the file "client" on the server are

# getfacl directory
user::rwx
group::r-x
group:admision:rwx
mask::rwx
other::r-x
default:user::---
default:group::---
default:group:admision:rwx
default:mask::rwx
default:other::---

# getfacl directory/client
user::---
group::---
group:sharedgroup:rwx #effective:r--
mask::r--
other::---

Why the client user umask (022) is being used for the inherited
permissions for the group "sharedgroup"? is this by design or a bug?

Thanks in advance

2011-07-27 15:47:37

by J. Bruce Fields

[permalink] [raw]
Subject: Re: NFSv4 / POSIX ACL mapping bug?

On Tue, Jul 26, 2011 at 10:13:44AM -0430, Robert Marcano wrote:
> Hi, This question is probably too simple for this nfs developer
> list, but I am intrigued to know if this is a bug or not, I do not
> find any other reference to anyone with this problem
>
> Ineed some help clarifying this issue in order to know if this is a
> bug or limits of the NFSv4 / POSIX ACL mapping before reporting it
>
> Creating a directory on the server with the following POSIX ACLs,
> rwx for the group "sharedgroup" and same defaults:
>
> ############################################################
> # file: directory
> # owner: root
> # group: root
> user::rwx
> group::r-x
> group:sharedgroup:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:group::r-x
> default:group:sharedgroup:rwx
> default:mask::rwx
> default:other::---
> ############################################################
>
> Creating files with the same user with umask 022 on the server an on
> the NFS client, the files do not get the same POSIX ACL mask:
>
> ############################################################
> # file: client
> # owner: test
> # group: testgroup
> user::rw-
> group::r-x #effective:r--
> group:sharedgroup:rwx #effective:r--
> mask::r--
> other::r--
>
> # file: server
> # owner: test
> # group: testgroup
> user::rw-
> group::r-x #effective:r--
> group:sharedgroup:rwx #effective:rw-
> mask::rw-
> other::r--
> ############################################################
>
> Is this normal or a bug?, My interpretation is that even that the
> mapping of the ACLs is not 100% perfect this simple example should
> not be a problem. Is it impossible using NFS to create a shared
> directory for a group of users?

Without looking at your example carefully, it sounds like the same
problem as discussed here:

http://marc.info/?t=123739823200003&r=1&w=2

--b.

2011-07-26 19:29:12

by Robert Marcano

[permalink] [raw]
Subject: Re: NFSv4 / POSIX ACL mapping bug?

On 07/26/2011 02:03 PM, Andy Adamson wrote:
> Hi
>
> Which client, which server (distro and uname -a output) did you use? Also, what commands (setfacl,getfacl? nfs4_setfacl, nfs4_getfacl ? plus version) and parameters did you use?

Thanks, here is the missing data

NFS Server:
CentOS release 5.6
Linux *** 2.6.18-238.9.1.el5 #1 SMP Tue Apr 12 18:10:13 EDT 2011
x86_64 x86_64 x86_64 GNU/Linux

Client:
Fedora 15
Linux *** 2.6.38.7-30.fc15.i686.PAE #1 SMP Fri May 27 05:44:56 UTC
2011 i686 i686 i386 GNU/Linux

The acls are POSIX ACLs assigned server side

=================================================
Commands on the CentOS NFS server:
not on the NFS mounted directory but on the source filesystem that is
exported, using root
=================================================
# umask 022
# mkdir directory
# setfacl -m d:g:sharedgroup:rwx directory
# setfacl -m g:sharedgroup:rwx directory
# touch directory/server
# getfacl directory/server

# file: directory/server
# owner: root
# group: root
user::rw-
group::r-x #effective:r--
group:sharedgroup:rwx #effective:rw-
mask::rw-
other::r--


=================================================
Commands on the Fedora NFS client:
using a non root user (a Kerberos authenticated user in our setup named
test)
=================================================
$ umask 022
$ touch directory/client

=================================================
Commands on the CentOS NFS server:
=================================================
# getfacl directory/client

# file: directory/client
# owner: test
# group: ipausers
user::rw-
group::r-x #effective:r--
group:sharedgroup:rwx #effective:r--
mask::r--
other::r--

When the file is created locally it gets the default ACL from
"directory" with mask "mask::rw-"

Thanks in advance


>
> -->Andy
> On Jul 26, 2011, at 10:43 AM, Robert Marcano wrote:
>
>> Hi, This question is probably too simple for this nfs developer list, but I am intrigued to know if this is a bug or not, I do not find any other reference to anyone with this problem
>>
>> Ineed some help clarifying this issue in order to know if this is a bug or limits of the NFSv4 / POSIX ACL mapping before reporting it
>>
>> Creating a directory on the server with the following POSIX ACLs, rwx for the group "sharedgroup" and same defaults:
>>
>> ############################################################
>> # file: directory
>> # owner: root
>> # group: root
>> user::rwx
>> group::r-x
>> group:sharedgroup:rwx
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:group::r-x
>> default:group:sharedgroup:rwx
>> default:mask::rwx
>> default:other::---
>> ############################################################
>>
>> Creating files with the same user with umask 022 on the server an on the NFS client, the files do not get the same POSIX ACL mask:
>>
>> ############################################################
>> # file: client
>> # owner: test
>> # group: testgroup
>> user::rw-
>> group::r-x #effective:r--
>> group:sharedgroup:rwx #effective:r--
>> mask::r--
>> other::r--
>>
>> # file: server
>> # owner: test
>> # group: testgroup
>> user::rw-
>> group::r-x #effective:r--
>> group:sharedgroup:rwx #effective:rw-
>> mask::rw-
>> other::r--
>> ############################################################
>>
>> Is this normal or a bug?, My interpretation is that even that the mapping of the ACLs is not 100% perfect this simple example should not be a problem. Is it impossible using NFS to create a shared directory for a group of users?
>>
>> Thanks in advance
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
>> the body of a message to [email protected]
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>


2011-08-02 01:09:48

by J. Bruce Fields

[permalink] [raw]
Subject: Re: NFSv4 / POSIX ACL mapping bug?

On Wed, Jul 27, 2011 at 11:47:13AM -0430, Robert Marcano wrote:
> On 07/27/2011 11:17 AM, J. Bruce Fields wrote:
> >On Tue, Jul 26, 2011 at 10:13:44AM -0430, Robert Marcano wrote:
> ...
> >>Is this normal or a bug?, My interpretation is that even that the
> >>mapping of the ACLs is not 100% perfect this simple example should
> >>not be a problem. Is it impossible using NFS to create a shared
> >>directory for a group of users?
> >
> >Without looking at your example carefully, it sounds like the same
> >problem as discussed here:
> >
> > http://marc.info/?t=123739823200003&r=1&w=2
>
> Thanks, exactly the same problem, current user umask getting in the
> way of ACL inheritance, looks like the answers is that this is
> currently not possible because the umask is applied client side and
> the NFSv4 protocol does not help to send that info to the server. No
> workaround available (mount option or something like that)

I seem to recall there was a solution proposed in the above thread that
Trond was OK with; if someone wants to read through it and implement
that, I'm sure patches would be welcome....

--b.