Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp8608234rwp; Wed, 19 Jul 2023 12:23:33 -0700 (PDT) X-Google-Smtp-Source: APBJJlF9qiBOBLR7fsCCsekIK+JKwnHTRaWAxv3VvRYp7q8NuinVvHpNyYUXx1am2tfJwIJufj9A X-Received: by 2002:aa7:c2d5:0:b0:51d:95f2:ee76 with SMTP id m21-20020aa7c2d5000000b0051d95f2ee76mr2922811edp.27.1689794613212; Wed, 19 Jul 2023 12:23:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689794613; cv=none; d=google.com; s=arc-20160816; b=Nv67WE6xnReGa7I1y5kjRfYfNN41NIB68S7RVpBdXsVNden1UQFJzYttgLWI9kSyYt wuvzJg9nmk6E+xfjm15Pm1bLVy8fmKEQgnG2990VYpaDjmetdCGofZUhJjxBOuo/Ktlb RdxocVz86x3XRizcDZC9qioYUq/imKA1cT0ifY381PPTObqCR/6lNWNyuPlNDDll+gZL uLvlMC2qV0tdrkIY15SzoZnvqYW83hgHuicrYbGPktTOpZTVLBfc5hu7JdNNAEkt6DsL Q/fdI5cj2xW1Zr15o1HJ9gBhOsN6T27IvG4QeMsK+ErLq5jsW30sYOJqz8bT4kXQsrFk hlDg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent :content-transfer-encoding:references:in-reply-to:date:cc:to:from :subject:message-id:dkim-signature; bh=geFVVY7i5X6/K9z66ivX9q6KwzoULn3RHCagyA81/aA=; fh=rFVTMj14sKJqBe8jOVVEZJ8bdkZUxhyFYaqipD8ECrw=; b=SNkJM6YGa5NVrB0cWoTNVito5KyU70CZitu32y9Ig1DObCpiGZ6WnfGAgjqV7bZywF iS4hKcBME+jg2A7D+oqOq7B5gXhctDaJroL8oYrxa0oKKx9TzUujr5phADZntfOg/0ic VJNgA8U5zc1NHXj/ipR8OhghhQl9zia9sfYq8Blc2L2LHH7V4Q6FYbZM3/kKXGV8KhyC 6ZsquBZ4GcOAZjn/ZWsbuMNZ2TwaxZBAbXiSj+81y8u9U+ilUMh/bJKxIAg/gXKqH+rD TG79kSCXLIM1IitZqUYB4TOHTBKHtG7i2cN/z9zZCUaNV32Rk/7U+qyNU65D4EWvhkHi eTtw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="IPMW/TPe"; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d19-20020aa7d693000000b0051e1ac7c9b4si3646876edr.651.2023.07.19.12.23.08; Wed, 19 Jul 2023 12:23:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="IPMW/TPe"; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230311AbjGSTMT (ORCPT + 99 others); Wed, 19 Jul 2023 15:12:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45658 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229535AbjGSTMR (ORCPT ); Wed, 19 Jul 2023 15:12:17 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AFFBE1BF6; Wed, 19 Jul 2023 12:12:16 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 4D00D617EB; Wed, 19 Jul 2023 19:12:16 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C98FDC433C8; Wed, 19 Jul 2023 19:12:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1689793935; bh=WnEpYb5mCjqyiCqGCFbyID54hiPfijMfm02T5CHpq+E=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=IPMW/TPeElwK4pnrsNJ+14tW2/Yrz6imn5BjbGDOpzEDr+QClaZJVrJUOYiE2OKOd xKKYnksaQmZBaNmBONHN+HLYGGF6Iu7di2hT04NRYI9gipdHE2pLSqHJ7pvm93WJ4r ODXdgj1e/c7iKOvJkoABDHpeB0RMTqJXZPPK/Go43yb9z7GR56jVNbMjmR7FHtkEZT DXSdRFUldGiU/XixofL86zqBJ6WkYJB2rnuEcE5Ji73zcjfEpNjDX0bkVoXVCjgvu3 eU2hEFDhssej7vwy0O4EQj2GoLjZ+VneJh8Acdgzr/cFJ95Lsd5RmaVdoErtFW+INY yubRivpI6RYTQ== Message-ID: <32b660c62f2abb17695816b83c41ae15b065b70e.camel@kernel.org> Subject: Re: [PATCH] nfsd: inherit required unset default acls from effective set From: Jeff Layton To: Chuck Lever III Cc: Neil Brown , Olga Kornievskaia , Dai Ngo , Tom Talpey , Linux NFS Mailing List , linux-fsdevel , open list , Ondrej Valousek , Andreas Gruenbacher Date: Wed, 19 Jul 2023 15:12:13 -0400 In-Reply-To: <0FE91AAE-0A90-4856-B9F3-A2CC4B4A94CC@oracle.com> References: <20230719-nfsd-acl-v1-1-eb0faf3d2917@kernel.org> <0FE91AAE-0A90-4856-B9F3-A2CC4B4A94CC@oracle.com> Content-Type: text/plain; charset="ISO-8859-15" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.48.4 (3.48.4-1.fc38) MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Wed, 2023-07-19 at 19:02 +0000, Chuck Lever III wrote: >=20 > > On Jul 19, 2023, at 1:49 PM, Jeff Layton wrote: > >=20 > > A well-formed NFSv4 ACL will always contain OWNER@/GROUP@/EVERYONE@ > > ACEs, but there is no requirement for inheritable entries for those > > entities. POSIX ACLs must always have owner/group/other entries, even f= or a > > default ACL. > >=20 > > nfsd builds the default ACL from inheritable ACEs, but the current code > > just leaves any unspecified ACEs zeroed out. The result is that adding = a > > default user or group ACE to an inode can leave it with unwanted deny > > entries. > >=20 > > For instance, a newly created directory with no acl will look something > > like this: > >=20 > > # NFSv4 translation by server > > A::OWNER@:rwaDxtTcCy > > A::GROUP@:rxtcy > > A::EVERYONE@:rxtcy > >=20 > > # POSIX ACL of underlying file > > user::rwx > > group::r-x > > other::r-x > >=20 > > ...if I then add new v4 ACE: > >=20 > > nfs4_setfacl -a A:fd:1000:rwx /mnt/local/test > >=20 > > ...I end up with a result like this today: > >=20 > > user::rwx > > user:1000:rwx > > group::r-x > > mask::rwx > > other::r-x > > default:user::--- > > default:user:1000:rwx > > default:group::--- > > default:mask::rwx > > default:other::--- > >=20 > > A::OWNER@:rwaDxtTcCy > > A::1000:rwaDxtcy > > A::GROUP@:rxtcy > > A::EVERYONE@:rxtcy > > D:fdi:OWNER@:rwaDx > > A:fdi:OWNER@:tTcCy > > A:fdi:1000:rwaDxtcy > > A:fdi:GROUP@:tcy > > A:fdi:EVERYONE@:tcy > >=20 > > ...which is not at all expected. Adding a single inheritable allow ACE > > should not result in everyone else losing access. > >=20 > > The setfacl command solves a silimar issue by copying owner/group/other > > entries from the effective ACL when none of them are set: > >=20 > > "If a Default ACL entry is created, and the Default ACL contains = no > > owner, owning group, or others entry, a copy of the ACL owner= , > > owning group, or others entry is added to the Default ACL. > >=20 > > Having nfsd do the same provides a more sane result (with no deny ACEs > > in the resulting set): > >=20 > > user::rwx > > user:1000:rwx > > group::r-x > > mask::rwx > > other::r-x > > default:user::rwx > > default:user:1000:rwx > > default:group::r-x > > default:mask::rwx > > default:other::r-x > >=20 > > A::OWNER@:rwaDxtTcCy > > A::1000:rwaDxtcy > > A::GROUP@:rxtcy > > A::EVERYONE@:rxtcy > > A:fdi:OWNER@:rwaDxtTcCy > > A:fdi:1000:rwaDxtcy > > A:fdi:GROUP@:rxtcy > > A:fdi:EVERYONE@:rxtcy > >=20 > > Link: https://bugzilla.redhat.com/show_bug.cgi?id=3D2136452 > > Reported-by: Ondrej Valousek > > Suggested-by: Andreas Gruenbacher > > Signed-off-by: Jeff Layton >=20 > As you pointed out in the bug report, there is not much testing > infrastructure for NFSv4 ACLs. It will be hard to tell in > advance if this change results in a behavior regression. >=20 > On the other hand, I'm not sure we have a large cohort of > NFSv4 ACL users on Linux. >=20 > I can certainly apply this to nfsd-next at least for a few > weeks to see if anyone yelps. >=20 Thanks, that's probably the best we can do, given the state of v4 ACL test coverage. --=20 Jeff Layton