From nobody@FreeBSD.org  Mon Jan  7 13:04:06 2013
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
	by hub.freebsd.org (Postfix) with ESMTP id 3EA055A7
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  7 Jan 2013 13:04:06 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 1999F8D6
	for <freebsd-gnats-submit@FreeBSD.org>; Mon,  7 Jan 2013 13:04:06 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.5/8.14.5) with ESMTP id r07D45Ph027144
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 7 Jan 2013 13:04:05 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.5/8.14.5/Submit) id r07D45wK027143;
	Mon, 7 Jan 2013 13:04:05 GMT
	(envelope-from nobody)
Message-Id: <201301071304.r07D45wK027143@red.freebsd.org>
Date: Mon, 7 Jan 2013 13:04:05 GMT
From: Sandra <littlesandra88@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ZFS NFSv4 ACL's allows user without perm to delete and update timestamp
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         175101
>Category:       kern
>Synopsis:       [zfs] [nfs] ZFS NFSv4 ACL's allows user without perm to delete and update timestamp
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    trasz
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jan 07 13:10:00 UTC 2013
>Closed-Date:    Tue Jun 25 08:33:55 UTC 2013
>Last-Modified:  Tue Jun 25 08:33:55 UTC 2013
>Originator:     Sandra
>Release:        9
>Organization:
>Environment:
>Description:
In the output below, which is from the script in "How to repeat the problem", it can be seen that user "www" which doesn't own file1 and only have "rx" permissions on /tank/project1/test3 is able to delete /tank/project1/test3/file1 and by doing that updating the timestamp on /tank/project1/test3.

This should not be possible with the given permissions.


#!/usr/local/bin/bash -v

clear

p="/tank/project1"
d="$p/test3"
u="user1"

rm -rf $d
setfacl -b $p

setfacl -m group@::fd:allow $p || exit 1
setfacl -m everyone@::fd:allow $p || exit 1
setfacl -m owner@:rwx:fd:allow $p || exit 1
setfacl -m u:$u:full_set:fd:allow $p || exit 1
setfacl -m u:www:full_set:fd:allow $p || exit 1
getfacl $p
# file: /tank/project1
# owner: root
# group: wheel
          user:www:rwxpDdaARWcCos:fd----:allow
        user:user1:rwxpDdaARWcCos:fd----:allow
            owner@:rwx-----------:fd----:allow
            group@:--------------:fd----:allow
         everyone@:--------------:fd----:allow

su -m $u -c "mkdir $d"
getfacl $d
# file: /tank/project1/test3
# owner: user1
# group: wheel
          user:www:rwxpDdaARWcCos:fd----:allow
        user:user1:rwxpDdaARWcCos:fd----:allow
            owner@:rwx-----------:fd----:allow
            group@:--------------:fd----:allow
         everyone@:--------------:fd----:allow

su -m $u -c "touch $d/file1"

# user1 wants www only to have read access
su -m $u -c "setfacl -m u:www:rx:fd:allow $d || exit 1"
getfacl $d
# file: /tank/project1/test3
# owner: user1
# group: wheel
          user:www:r-x-----------:fd----:allow
          user:www:r-x-----------:fd----:allow
        user:user1:rwxpDdaARWcCos:fd----:allow
            owner@:rwx-----------:fd----:allow
            group@:--------------:fd----:allow
         everyone@:--------------:fd----:allow

# www should be able to read and delete because file1 was created before the ACL
getfacl $d/file1
# file: /tank/project1/test3/file1
# owner: user1
# group: wheel
          user:www:rw-pDdaARWcCos:------:allow
        user:user1:rw-pDdaARWcCos:------:allow
            owner@:rw------------:------:allow
            group@:--------------:------:allow
         everyone@:--------------:------:allow
su -m www -c "touch $d/file2"
touch: /tank/project1/test3/file2: Permission denied
su -m www -c "cat $d/file1"

touch -amct 191212121212 $d
su -m www -c "rm $d/file1"
ls -ld $d
drwx------+ 2 user1  wheel  2 Jan  7 12:25 /tank/project1/test3

>How-To-Repeat:
#!/usr/local/bin/bash -v                                                                                  

clear
p="/tank/project1"
d="$p/test3"
u="user1"

rm -rf $d
setfacl -b $p

setfacl -m group@::fd:allow $p || exit 1
setfacl -m everyone@::fd:allow $p || exit 1
setfacl -m owner@:rwx:fd:allow $p || exit 1
setfacl -m u:$u:full_set:fd:allow $p || exit 1
setfacl -m u:www:full_set:fd:allow $p || exit 1
getfacl $p

su -m $u -c "mkdir $d"
getfacl $d

su -m $u -c "touch $d/file1"

# user1 wants www only to have read access                                                                
su -m $u -c "setfacl -m u:www:rx:fd:allow $d || exit 1"
getfacl $d

# www should not be able to delete file1, as delete have not been granted                                 
# also notice that www's rm updates the timestamp on the parent dir.                                      
# this should not be possible                                                                             
getfacl $d/file1
su -m www -c "touch $d/file2"
su -m www -c "cat $d/file1"

touch -amct 191212121212 $d
su -m www -c "rm $d/file1"
ls -ld $d

>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-fs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Tue Jan 8 04:36:23 UTC 2013 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=175101 
Responsible-Changed-From-To: freebsd-fs->trasz 
Responsible-Changed-By: trasz 
Responsible-Changed-When: Tue Jan 15 17:01:04 UTC 2013 
Responsible-Changed-Why:  
I'll take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=175101 
State-Changed-From-To: open->feedback 
State-Changed-By: trasz 
State-Changed-When: Mon Apr 1 13:21:27 UTC 2013 
State-Changed-Why:  
In your example, user www has 'delete' permission for test3/file1, so he 
doesn't need write permission for test3/.  Right? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=175101 

From: Sandra Schlichting <littlesandra88@gmail.com>
To: bug-followup@freebsd.org, Sandra Schlichting <littlesandra88@gmail.com>
Cc:  
Subject: Re: kern/175101: [zfs] [nfs] ZFS NFSv4 ACL&#39;s allows user without
 perm to delete and update timestamp
Date: Wed, 3 Apr 2013 15:47:57 +0200

 The problem is that user1 is the owner of /tank/project1/test3/file1,
 but www can delete it eventhough www only have rx permission.
 
 Also notice
 
 touch -amct 191212121212 $d
 su -m www -c "rm $d/file1"
 ls -ld $d
 
 where I set the timestamp to 1912 for /tank/project1/test3, but when
 www deletes /tank/project1/test3/file1, the timestamp is updated on
 /tank/project1/test3, which www does not have permission to do.
 
 www should have been denied to delete /tank/project1/test3/file1
 because www does not have permission to update the timestamp on the
 parent directory /tank/project1/test3

From: =?iso-8859-2?Q?Edward_Tomasz_Napiera=B3a?= <trasz@FreeBSD.org>
To: Sandra Schlichting <littlesandra88@gmail.com>
Cc:  
Subject: Re: kern/175101: [zfs] [nfs] ZFS NFSv4 ACL&#39;s allows user without perm to delete and update timestamp
Date: Sat, 6 Apr 2013 21:08:41 +0200

 Wiadomo=B6=E6 napisana przez Sandra Schlichting w dniu 3 kwi 2013, o =
 godz. 15:50:
 > The following reply was made to PR kern/175101; it has been noted by =
 GNATS.
 >=20
 > From: Sandra Schlichting <littlesandra88@gmail.com>
 > To: bug-followup@freebsd.org, Sandra Schlichting =
 <littlesandra88@gmail.com>
 > Cc: =20
 > Subject: Re: kern/175101: [zfs] [nfs] ZFS NFSv4 ACL&#39;s allows user =
 without
 > perm to delete and update timestamp
 > Date: Wed, 3 Apr 2013 15:47:57 +0200
 >=20
 > The problem is that user1 is the owner of /tank/project1/test3/file1,
 > but www can delete it eventhough www only have rx permission.
 
 It has "rx" for the containing directory, but it also has "delete"
 permission on the file being removed; that's why removal is permitted.
 
 > Also notice
 >=20
 > touch -amct 191212121212 $d
 > su -m www -c "rm $d/file1"
 > ls -ld $d
 >=20
 > where I set the timestamp to 1912 for /tank/project1/test3, but when
 > www deletes /tank/project1/test3/file1, the timestamp is updated on
 > /tank/project1/test3, which www does not have permission to do.
 
 This is implicit - you don't need to be file owner to e.g. change
 modification time when you modify it.
 
 > www should have been denied to delete /tank/project1/test3/file1
 > because www does not have permission to update the timestamp on the
 > parent directory /tank/project1/test3
 
 See above.
 
 --=20
 If you cut off my head, what would I say?  Me and my head, or me and my =
 body?
 
State-Changed-From-To: feedback->closed 
State-Changed-By: trasz 
State-Changed-When: Tue Jun 25 08:33:54 UTC 2013 
State-Changed-Why:  
Not a bug. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=175101 
>Unformatted:
