Project

General

Profile

Bug #23509

ceph-fuse: broken directory permission checking

Added by Jeff Layton 10 months ago. Updated 3 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Correctness/Safety
Target version:
Start date:
03/29/2018
Due date:
% Done:

0%

Source:
Development
Tags:
Backport:
luminous,jewel
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Component(FS):
ceph-fuse
Labels (FS):
Pull request ID:

Description

Description of problem:
We have encountered cephfs-fuse mounted directory different behavior than base Linux or kernel driver mounted directories have regarding to the "cd" command against directory with "rw-rw-rw-" permissions:

$ id quicklab
uid=1000(quicklab) gid=1000(quicklab) groups=1000(quicklab),4(adm)

  1. cat /proc/mounts
    ...
    /dev/rbd0 /mnt/ceph-test1 ext4 rw,seclabel,relatime,stripe=1024,data=ordered 0 0
    fusectl /sys/fs/fuse/connections fusectl rw,relatime 0 0
    ceph-fuse /mnt/ceph-test2 fuse.ceph-fuse rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other 0 0
    10.74.157.1:6789,10.74.157.55:6789,10.74.156.172:6789:/ /mnt/ceph-test3 ceph rw,relatime,name=admin,secret=<hidden>,acl 0 0

[quicklab@mgmt-0 ~]$ df | grep ceph
/dev/rbd0 50264616 5955968 41732264 13% /mnt/ceph-test1
ceph-fuse 111099904 4788224 106311680 5% /mnt/ceph-test2
10.74.157.1:6789,10.74.157.55:6789,10.74.156.172:6789:/ 377286656 33939456 343347200 9% /mnt/ceph-test3

Linux base directory behavior:
- in regular Linux you cannot access the directory, as you can with cephfs Fuse:

but still can list:
[quicklab@mons-0 ~]$ ll /tmp/
total 0
drwxrw-rw-. 2 root root 17 Mar 20 10:44 test
[quicklab@mons-0 tmp]$ cd test/
bash: cd: test/: Permission denied
[quicklab@mons-0 ~]$ ll /tmp/test/
ls: cannot access /tmp/test/aaa: Permission denied
total 0
????? ? ? ? ? ? aaa
-----------------------

cephfs with kernel driver:
[root@mgmt-0 ~]# ll /mnt/ceph-test3
total 3704832
rw-r--r- 1 root root 3793747968 Mar 21 07:58 rhel-server-7.3-x86_64-dvd.iso
drwxrw-rw- 1 root root 1 Feb 15 07:19 test
drwxr-xr-x 1 root root 21 Mar 21 08:06 var
[root@mgmt-0 ~]# cat /mnt/ceph-test3/test/foo
bar
barbar
bar
[root@mgmt-0 ~]# logout

[quicklab@mgmt-0 ~]$ cat /mnt/ceph-test3/test/foo
cat: /mnt/ceph-test3/test/foo: Permission denied
[quicklab@mgmt-0 ~]$ ll /mnt/ceph-test3/test/
ls: cannot access /mnt/ceph-test3/test/foo: Permission denied
total 0
????? ? ? ? ? ? foo
[quicklab@mgmt-0 ~]$ cd /mnt/ceph-test3/test/
-bash: cd: /mnt/ceph-test3/test/: Permission denied
----------------------

cephfs_fuse behavior:

[quicklab@mgmt-0 ~]$ ll /mnt/ceph-test2/
total 3704833
rw-r--r-. 1 root root 3793747968 Mar 21 07:58 rhel-server-7.3-x86_64-dvd.iso
drwxrw-rw-. 1 root root 15 Feb 15 07:19 test
drwxr-xr-x. 1 root root 1107205021 Mar 21 08:06 var
[quicklab@mgmt-0 ~]$ ll /mnt/ceph-test2/test/
ls: cannot access /mnt/ceph-test2/test/foo: Permission denied
total 0
-????? ? ? ? ? ? foo

-- allow you to get in ---
[quicklab@mgmt-0 ~]$ cd /mnt/ceph-test2/test/ <----------------------
[quicklab@mgmt-0 test]$ ll
ls: cannot access foo: Permission denied
total 0
-????? ? ? ? ? ? foo
[quicklab@mgmt-0 test]$ touch file
touch: cannot touch ‘file’: Permission denied

Is this behavior expected?

Version-Release number of selected component (if applicable):
ceph-fuse-12.2.1-40.el7cp.x86_64

How reproducible:
always

Steps to Reproduce:
1. mount cephfs-fuse directory
2. chmod 666 /mounted/directory
3. cd /mounted/directory


Related issues

Copied to fs - Backport #23704: luminous: ceph-fuse: broken directory permission checking Resolved
Copied to fs - Backport #23705: jewel: ceph-fuse: broken directory permission checking Rejected

History

#1 Updated by Jeff Layton 10 months ago

Kernel chdir syscall does:

       error = inode_permission(path.dentry->d_inode, MAY_EXEC | MAY_CHDIR);

...that dispatches to fuse_permission:

        } else if (mask & (MAY_ACCESS | MAY_CHDIR)) {
                err = fuse_access(inode, mask);

That will dispatch an "access" call to the daemon, which in ceph does this:

static void fuse_ll_access(fuse_req_t req, fuse_ino_t ino, int mask)            
{                                                                               
  fuse_reply_err(req, 0);                                                       
}                                                                              

...so I think we need to do proper permission checking there.

#2 Updated by Patrick Donnelly 10 months ago

  • Subject changed from broken ceph-fuse directory permission checking to ceph-fuse: broken directory permission checking
  • Target version set to v13.0.0
  • Source set to Development
  • Backport set to luminous,jewel

#4 Updated by Patrick Donnelly 9 months ago

  • Status changed from New to Pending Backport

#5 Updated by Nathan Cutler 9 months ago

  • Copied to Backport #23704: luminous: ceph-fuse: broken directory permission checking added

#6 Updated by Nathan Cutler 9 months ago

  • Copied to Backport #23705: jewel: ceph-fuse: broken directory permission checking added

#9 Updated by Patrick Donnelly 3 months ago

  • Status changed from Pending Backport to Resolved

Also available in: Atom PDF