From:   Diego Santa Cruz <Diego.SantaCruz@spinetix.com>
To:     Trond Myklebust <trond.myklebust@hammerspace.com>,
        Anna Schumaker <anna.schumaker@netapp.com>
CC:     "linux-nfs@vger.kernel.org" <linux-nfs@vger.kernel.org>
Subject: Write access check not correct on world writable directories
 (regression)
Thread-Topic: Write access check not correct on world writable directories
 (regression)
Thread-Index: AdTurF3PJLe1IvUXS+qxCgYbn/IAGg==
Date:   Tue, 9 Apr 2019 09:26:08 +0000
Message-ID: <VI1PR01MB5167A74BA4409EE4C27B592F882D0@VI1PR01MB5167.eurprd01.prod.exchangelabs.com>
Accept-Language: en-GB, fr-CH, fr-FR, en-US
Content-Language: en-US
received-spf: None (protection.outlook.com: spinetix.com does not designate
 permitted sender hosts)
Content-Type: multipart/mixed;
        boundary="_002_VI1PR01MB5167A74BA4409EE4C27B592F882D0VI1PR01MB5167eurp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: e018573e-b8f5-4c69-a760-08d6bccd65e7
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Apr 2019 09:26:08.2351
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5f4034fa-ed2d-4840-a93f-acb1e9633b93
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR01MB4733
Sender: linux-nfs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-nfs.vger.kernel.org>
X-Mailing-List: linux-nfs@vger.kernel.org

--_002_VI1PR01MB5167A74BA4409EE4C27B592F882D0VI1PR01MB5167eurp_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hello,

I have encountered a problem with access(dir, W_OK) calls and world writabl=
e directories on NFS which are not owner by the calling user. The call retu=
rns EACCES, even though the user can create files in the directory. I use N=
FSv3, but this may also impact other NFS versions.

Test case, on an NFSv3 mounted directory is:
1. Create world writable directory as root: sudo mkdir -m 777 testdir
2. Test that normal user can create a file: rm -f testdir/foo && touch test=
dir/foo
3. Test for writability with access: strace -o log test -w testdir && echo =
PASS || echo FAIL
4. Checking the strace log shows that access("testdir", W_OK) fails with EA=
CCES

I am using the linux-intel kernel 4.19.13, but I traced this to commit ecbb=
903c56745 in linux master (NFS: Be more careful about mapping file permissi=
ons), that went into kernel 4.13. The test works fine in earlier kernels. T=
he problem does not always show up on directories owned by the calling user=
, but it may be due to attribute caching or similar.

I am not very NFS savvy but as far as I understand the commit above changed=
 the tests in nfs_access_calc_mask() from "any bit in mask is set" to "all =
bits in mask are set". The mask for writable directories is ACCESS_MODIFY, =
ACCESS_EXTEND, ACCESS_DELETE but from what I see in a network capture the r=
esponse from the NFS server is lacking the ACCESS_DELETE bit.

The attached patch reverts the tests in nfs_access_calc_mask() to "any bit =
in mask is set", which makes the test case work again, but I am not sure it=
 is entirely correct to change all the tests, or if it would be more approp=
riate to drop ACCESS_DELETE from the NFS_DIR_MAY_WRITE mask. The patch appl=
ies cleanly on current linux master.

I checked the NFSv3 and NFSv4 RFCs, but it is not clear to me if ACCESS_DEL=
ETE is for the directory itself or its children. In any case my NFS server =
is omitting ACCESS_DELETE from the response (it is a Synology running Linux=
 kernel 3.10.105).

Sincerely,

Diego

--
Diego Santa Cruz, PhD
Technology Architect
T +41 21 341 15 50
diego.santacruz@spinetix.com
spinetix.com


--_002_VI1PR01MB5167A74BA4409EE4C27B592F882D0VI1PR01MB5167eurp_
Content-Type: application/octet-stream;
	name="0001-NFS-fix-regression-introduced-in-ecbb903c567.patch"
Content-Description: 0001-NFS-fix-regression-introduced-in-ecbb903c567.patch
Content-Disposition: attachment;
	filename="0001-NFS-fix-regression-introduced-in-ecbb903c567.patch";
	size=1863; creation-date="Tue, 09 Apr 2019 07:13:53 GMT";
	modification-date="Tue, 09 Apr 2019 07:13:53 GMT"
Content-Transfer-Encoding: base64

RnJvbSBmMTgxZTQ4MGUzYjc5YWYxZTY0YTk1OWQyOGVjYTgwMzg3MjA1NGRjIE1vbiBTZXAgMTcg
MDA6MDA6MDAgMjAwMQpGcm9tOiBEaWVnbyBTYW50YSBDcnV6IDxEaWVnby5TYW50YUNydXpAc3Bp
bmV0aXguY29tPgpEYXRlOiBUdWUsIDkgQXByIDIwMTkgMDc6MDI6NDEgKzAwMDAKU3ViamVjdDog
W1BBVENIXSBORlM6IGZpeCByZWdyZXNzaW9uIGludHJvZHVjZWQgaW4gZWNiYjkwM2M1NjcKCkNv
bW1pdCBlY2JiOTAzYzU2NyAoTkZTOiBCZSBtb3JlIGNhcmVmdWwgYWJvdXQgbWFwcGluZyBmaWxl
IHBlcm1pc3Npb25zKQpicmVha3MgdGhlIGFjY2VzcyhkaXIsIFdfT0spIHRlc3Qgb24gd29ybGQg
d3JpdGFibGUgZGlyZWN0b3JpZXMgd2hvc2UKb3duZXIgaXMgbm90IHRoZSBjYWxsaW5nIHVzZXIs
IGF0IGxlYXN0IG9uIE5GU3YzLgoKQmVmb3JlIHRoYXQgY29tbWl0IGlmIGFueSBvZiB0aGUgQUND
RVNTX01PRElGWSwgQUNDRVNTX0VYVEVORCBvcgpBQ0NFU1NfREVMRVRFIGJpdHMgd2FzIHNldCB0
aGUgZGlyZWN0b3J5IHdhcyBjb25zaWRlcmVkIHdyaXRhYmxlLCBidXQKdGhhdCBjb21taXQgY2hh
bmdlZCBpdCB0byBiZSB0aGF0IGFsbCB0aG9zZSBiaXRzIG11c3QgYmUgc2V0LgpTaW1pbGFybHkg
Zm9yIGZpbGVzLCBwcmV2aW91c2x5IGFueSBvZiB0aGUgQUNDRVNTX01PRElGWSBhbmQgQUNDRVNT
X0VYVEVORApiaXRzIHdhcyBlbm91Z2gsIGJ1dCBub3cgYm90aCBvZiB0aGVtIGlzIHJlcXVpcmVk
LgoKVGhpcyBjaGFuZ2VzIHRoZSBkaXJlY3RvcnkgYW5kIGZpbGUgd3JpdGUgdGVzdHMgYmFjayB0
byBjaGVjayB0aGF0IGFueSBvZgp0aGUgYml0cyBpcyBzZXQuCgpTaWduZWQtb2ZmLWJ5OiBEaWVn
byBTYW50YSBDcnV6IDxEaWVnby5TYW50YUNydXpAc3BpbmV0aXguY29tPgotLS0KIGZzL25mcy9k
aXIuYyB8IDggKysrKy0tLS0KIDEgZmlsZSBjaGFuZ2VkLCA0IGluc2VydGlvbnMoKyksIDQgZGVs
ZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvZnMvbmZzL2Rpci5jIGIvZnMvbmZzL2Rpci5jCmluZGV4
IDhiZmFhNjU4YjJjMS4uNWQ4N2Q3OGMyZjA2IDEwMDY0NAotLS0gYS9mcy9uZnMvZGlyLmMKKysr
IGIvZnMvbmZzL2Rpci5jCkBAIC0yNDEwLDE0ICsyNDEwLDE0IEBAIG5mc19hY2Nlc3NfY2FsY19t
YXNrKHUzMiBhY2Nlc3NfcmVzdWx0LCB1bW9kZV90IHVtb2RlKQogCWlmIChhY2Nlc3NfcmVzdWx0
ICYgTkZTX01BWV9SRUFEKQogCQltYXNrIHw9IE1BWV9SRUFEOwogCWlmIChTX0lTRElSKHVtb2Rl
KSkgewotCQlpZiAoKGFjY2Vzc19yZXN1bHQgJiBORlNfRElSX01BWV9XUklURSkgPT0gTkZTX0RJ
Ul9NQVlfV1JJVEUpCisJCWlmIChhY2Nlc3NfcmVzdWx0ICYgTkZTX0RJUl9NQVlfV1JJVEUpCiAJ
CQltYXNrIHw9IE1BWV9XUklURTsKLQkJaWYgKChhY2Nlc3NfcmVzdWx0ICYgTkZTX01BWV9MT09L
VVApID09IE5GU19NQVlfTE9PS1VQKQorCQlpZiAoYWNjZXNzX3Jlc3VsdCAmIE5GU19NQVlfTE9P
S1VQKQogCQkJbWFzayB8PSBNQVlfRVhFQzsKIAl9IGVsc2UgaWYgKFNfSVNSRUcodW1vZGUpKSB7
Ci0JCWlmICgoYWNjZXNzX3Jlc3VsdCAmIE5GU19GSUxFX01BWV9XUklURSkgPT0gTkZTX0ZJTEVf
TUFZX1dSSVRFKQorCQlpZiAoYWNjZXNzX3Jlc3VsdCAmIE5GU19GSUxFX01BWV9XUklURSkKIAkJ
CW1hc2sgfD0gTUFZX1dSSVRFOwotCQlpZiAoKGFjY2Vzc19yZXN1bHQgJiBORlNfTUFZX0VYRUNV
VEUpID09IE5GU19NQVlfRVhFQ1VURSkKKwkJaWYgKGFjY2Vzc19yZXN1bHQgJiBORlNfTUFZX0VY
RUNVVEUpCiAJCQltYXNrIHw9IE1BWV9FWEVDOwogCX0gZWxzZSBpZiAoYWNjZXNzX3Jlc3VsdCAm
IE5GU19NQVlfV1JJVEUpCiAJCQltYXNrIHw9IE1BWV9XUklURTsK

--_002_VI1PR01MB5167A74BA4409EE4C27B592F882D0VI1PR01MB5167eurp_--