From: Frank Filz Subject: Re: [PATCH] nfsd: Fix sort_pacl in fs/nfsd/nf4acl.c to actually sort groups Date: Tue, 27 Oct 2009 20:12:00 -0700 Message-ID: <1256699520.31791.25.camel@dyn9047022153> References: <1256168703.31791.14.camel@dyn9047022153> <20091027233244.GD14471@fieldses.org> Mime-Version: 1.0 Content-Type: text/plain Cc: NFS List , NFS V4 Mailing List , Frank S Filz To: "J. Bruce Fields" Return-path: Received: from e4.ny.us.ibm.com ([32.97.182.144]:44104 "EHLO e4.ny.us.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932457AbZJ1DJf (ORCPT ); Tue, 27 Oct 2009 23:09:35 -0400 Received: from d01relay07.pok.ibm.com (d01relay07.pok.ibm.com [9.56.227.147]) by e4.ny.us.ibm.com (8.14.3/8.13.1) with ESMTP id n9S31kxU013431 for ; Tue, 27 Oct 2009 23:01:46 -0400 Received: from d01av04.pok.ibm.com (d01av04.pok.ibm.com [9.56.224.64]) by d01relay07.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id n9S39dxC1134608 for ; Tue, 27 Oct 2009 23:09:39 -0400 Received: from d01av04.pok.ibm.com (loopback [127.0.0.1]) by d01av04.pok.ibm.com (8.14.3/8.13.1/NCO v10.0 AVout) with ESMTP id n9S39dSm006392 for ; Tue, 27 Oct 2009 23:09:39 -0400 In-Reply-To: <20091027233244.GD14471@fieldses.org> Sender: linux-nfs-owner@vger.kernel.org List-ID: On Tue, 2009-10-27 at 19:32 -0400, J. Bruce Fields wrote: > On Wed, Oct 21, 2009 at 04:45:02PM -0700, Frank Filz wrote: > > We have been doing some extensive testing of Linux support for ACLs on > > NFDS v4. We have noticed that the server rejects ACLs where the groups > > are out of order, for example, the following ACL is rejected: > > > > A::OWNER@:rwaxtTcCy > > A::user101@domain:rwaxtcy > > A::GROUP@:rwaxtcy > > A:g:group102@domain:rwaxtcy > > A:g:group101@domain:rwaxtcy > > A::EVERYONE@:rwaxtcy > > > > Examining the server code, I found that after converting an NFS v4 ACL > > to POSIX, sort_pacl is called to sort the user ACEs and group ACEs. > > Unfortunately, a minor bug causes the group sort to be skipped. > > Good grief, I'm embarassed--OK, thanks for catching that! Do you have > any regression tests that'd be easy for someone else to run? Using the above ACL (modified with appropriate groups and the appropriate domain) with nfs4_setfacl will result in an EINVAL/Invalid argument. I'm working on a script to test ACL conversion, I will post it when it is in a better state for public consumption. It does an exhaustive test (which in full mode takes a day or two to complete), but I could add a regression test that just hit various spot conditions (it will also have to get smart about the ACL re-ordering in order to have an automated regression test for this error). We actually hit the bug by using nfs4_setfacl -a, discovering that the command only succeeded if the index was specified to put the new group ACE in the correct sorted position. Thanks Frank