access(2) inaccurately reports execute permissions

linux-nfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: John Bazik <john_bazik@brown.edu>
To: linux-nfs@vger.kernel.org
Subject: access(2) inaccurately reports execute permissions
Date: Wed, 8 Mar 2017 16:50:58 -0500	[thread overview]
Message-ID: <20170308215058.GO27384@cs.brown.edu> (raw)

I have evidence that the system call access(2), with mode set to X_OK,
does not accurately report execute permissions for a file mounted via
NFS4 and with execute provided by an NFS4 acl.

Here's a transcript:

root@radio:/testmnt# nfs4_getfacl acltestjan3017/testacls/f.test301.test261.400.u+test314=5
A::OWNER@:rtTcCy
A::test314@ad.brown.edu:rxtcy
A::GROUP@:tcy
A::EVERYONE@:tcy
root@radio:/testmnt# ./runas -k test314 ./test_access acltestjan3017/testacls/f.test301.test261.400.u+test314=5
USER  999999314 (test314) 999999314 (test314) 999999314 (test314)
GROUP 1427981 (user-test314) 1427981 (user-test314) 1427981 (user-test314)
KRB5  test314@AD.BROWN.EDU
SUPPL GROUPS: user-test314 
r-- acltestjan3017/testacls/f.test301.test261.400.u+test314=5
root@radio:/testmnt# ./runas -k test314 acltestjan3017/testacls/f.test301.test261.400.u+test314=5

My script "runas" su's and acquires kerberos credentials for the given
user, and executes the given command.

My command test_access (a c program) prints all process credentials
and then runs access(2) separately with R_OK, W_OK and X_OK modes,
and prints the result.

The second line shows that access(2) indicates that user test314 has only
read rights, despite the user ACE for test314.  The last line shows that
test314 can, in fact, execute the file (which is empty - no error).

My client is a Debian Jessie system with these various versions of things:

Debian            8.6
Kernel            3.16.0-4-amd64
acl               2.2.52-2
libgssapi-krb5-2  1.12.1+dfsg-19+deb8u2
librpcsecgss3     (not installed)
nfs-utils         (? don't see it)
util-linux        2.25.2-6

The server is an EMC Isilon.

John

next             reply	other threads:[~2017-03-08 21:51 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-03-08 21:50 John Bazik [this message]
2017-03-08 22:07 ` access(2) inaccurately reports execute permissions J. Bruce Fields
2017-03-08 23:16   ` John Bazik

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170308215058.GO27384@cs.brown.edu \
    --to=john_bazik@brown.edu \
    --cc=linux-nfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).