Bug #12617
Missing handling of supplementary groups in ceph-fuse -> rendering it useless for shared environments
0%
Description
During investigating a user's bug report I've stumbled accross
https://github.com/ceph/ceph/blob/master/src/client/fuse_ll.cc#L981
ceph-fuse does not handle supplementary user groups AT ALL.
This is a SHOW STOPPER for everyone trying to use ceph-fuse in a multi user shared environment.
Since the callback is only used in Client::check_permissions (https://github.com/ceph/ceph/blob/master/src/client/Client.cc#L4546), the fix would be trivial:
Release the memory allocated for the group list in the callback.
Associated revisions
client: ignore permission check when fuse_default_permissions is on
When fuse_default_permissions is on, linux kernel does permission check.
So there is no need to do extra permission check in ceph-fuse. permission
check code in ceph-fuse has a problem, it does not handle supplementary
user at all (Client::check_permissions() may return -EACCESS in the case
it should return 0).
Fixes: #12617
Signed-off-by: Yan, Zheng <zyan@redhat.com>
History
#1 Updated by Zheng Yan over 8 years ago
I checked the kernel code, It seem that kernel also does the permission check. can we just remove the permission in ceph-fuse
#2 Updated by Zheng Yan over 8 years ago
- Status changed from New to Fix Under Review
#3 Updated by Burkhard Linke over 8 years ago
- File Client.cc.diff View added
The following patch adds correct supplementary group retrieval:
If no callback is defined, the getgrouplist() function is used to get a list of supplementary groups for the current uid.
The patch is not complete; it does not contain the necessary functionality to check for the availability of the getgrouplist() function. This has to be done in autoconf/cmake.
#4 Updated by Sage Weil over 8 years ago
see #3301, and commit:328bf482349485b90911fe8953d8ce5f0769c69e for when this was introduced... hopefully we aren't re-breaking it?
#5 Updated by Zheng Yan over 8 years ago
Burkhard Linke wrote:
The following patch adds correct supplementary group retrieval:
If no callback is defined, the getgrouplist() function is used to get a list of supplementary groups for the current uid.
The patch is not complete; it does not contain the necessary functionality to check for the availability of the getgrouplist() function. This has to be done in autoconf/cmake.
the patch looks good, please complete it and send a pull request
#6 Updated by John Spray over 8 years ago
Do we need the Client.cc patch here, or just the pull request (https://github.com/ceph/ceph/pull/5480), or both?
#7 Updated by Zheng Yan over 8 years ago
ignore client check patch makes ceph-fuse work, the get_grouplist patch makes programs that directly use libcephfs work. It's better to merge both
#8 Updated by Zheng Yan over 8 years ago
- Status changed from Fix Under Review to Resolved