Bug #35961
closednfs-ganesha: ceph_fsal_setattr2 returned Operation not permitted
0%
Description
How to reproduce:
1. mount the nfs-ganesha export directory
2. log in using user1 and create new file named abc.txt
uid=9998(user1) gid=100(users) groups=100(users)
3. add new user user2, and its user group is same as user1's
4. chmod 664 abc.txt
5. log in using user2, and write new string to abc.txt
echo 'Hello' > abc.txt
6. The error "Operation not permitted" will be output
nfs-ganesha logs:
11/09/2018 07:58:20 : epoch 5b976502 : ceph44 : ganesha.nfsd-7442[svc_1] nfs3_setattr :NFS3 :DEBUG :REQUEST PROCESSING: Calling nfs_Setattr handle: File Handle V3: Len=24 4300000110e903000000010000feffffffffffffff000000 11/09/2018 07:58:20 : epoch 5b976502 : ceph44 : ganesha.nfsd-7442[svc_1] nfs3_Sattr_To_FSALattr :NFS3 :F_DBG :size = 0 11/09/2018 07:58:20 : epoch 5b976502 : ceph44 : ganesha.nfsd-7442[svc_1] nfs3_Sattr_To_FSALattr :NFS3 :F_DBG :set=0 mtime = 0 11/09/2018 07:58:20 : epoch 5b976502 : ceph44 : ganesha.nfsd-7442[svc_1] nfs3_Sattr_To_FSALattr :NFS3 :F_DBG :SET_TO_SERVER_TIME Mtime 11/09/2018 07:58:20 : epoch 5b976502 : ceph44 : ganesha.nfsd-7442[svc_1] fsal_check_setattr_perms :FSAL :DEBUG :Change SIZE requires FSAL_ACE_PERM_WRITE_DATA 11/09/2018 07:58:20 : epoch 5b976502 : ceph44 : ganesha.nfsd-7442[svc_1] fsal_check_setattr_perms :FSAL :DEBUG :Change ATIME and MTIME to NOW requires FSAL_ACE_PERM_WRITE_DATA 11/09/2018 07:58:20 : epoch 5b976502 : ceph44 : ganesha.nfsd-7442[svc_1] fsal_check_setattr_perms :FSAL :DEBUG :Requires WRITE_DATA 11/09/2018 07:58:20 : epoch 5b976502 : ceph44 : ganesha.nfsd-7442[svc_1] fsal_check_setattr_perms :FSAL :DEBUG :Access check returned No error (checked mode) 11/09/2018 07:58:20 : epoch 5b976502 : ceph44 : ganesha.nfsd-7442[svc_1] ceph_fsal_setattr2 :FSAL :F_DBG :attrs set attributes Valid Mask=00400004 size=0x0 mtime=SERVER 11/09/2018 07:58:20 : epoch 5b976502 : ceph44 : ganesha.nfsd-7442[svc_1] fsal_find_fd :FSAL :F_DBG :Use global fd openflags = 3 11/09/2018 07:58:20 : epoch 5b976502 : ceph44 : ganesha.nfsd-7442[svc_1] ceph_fsal_setattr2 :FSAL :DEBUG :setting size to 0 11/09/2018 07:58:20 : epoch 5b976502 : ceph44 : ganesha.nfsd-7442[svc_1] ceph_fsal_setattr2 :FSAL :DEBUG :setattrx returned Operation not permitted (1) 11/09/2018 07:58:20 : epoch 5b976502 : ceph44 : ganesha.nfsd-7442[svc_1] nfs3_setattr :NFS3 :F_DBG :fsal_setattr failed
cephfs client logs:
2018-09-11 07:58:20.329 7feba05dc700 8 client.54044 _ll_setattrx 0x100000003e9.head mask 28 2018-09-11 07:58:20.329 7feba05dc700 20 client.54044 may_setattr 0x100000003e9.head(faked_ino=0 ref=4 ll_ref=1 cap_refs={4=0,1024=0,4096=0,8192=0} open={3=1} mode=100664 size=6/4194304 nlink=1 btime=2018-09-11 07:57:55.598147 mtime=2018-09-11 07:57:55.618157 ctime=2018-09-11 07:58:06.405966 caps=pAsxLsXsxFsxcrwb(0=pAsxLsXsxFsxcrwb) objectset[0x100000003e9 ts 0/0 objects 1 dirty_or_tx 0] parents=0x10000000000.head["abc.txt"] 0x7feb98008640); UserPerm(uid: 9998, gid: 100) 2018-09-11 07:58:20.329 7feba05dc700 10 client.54044 _getattr mask As issued=1 2018-09-11 07:58:20.329 7feba05dc700 3 client.54044 may_setattr 0x7feb98008640 = -1 2018-09-11 07:58:20.329 7feba05dc700 3 client.54044 ll_setattrx 0x100000003e9.head = -1
Updated by shangzhong zhu over 5 years ago
nfs-ganesha 2.6.3
ceph version 13.2.1
nfs client: nfs-utils-1.3.0-0.54.el7.x86_64
mount nfs export directory with NFSV3
Updated by Jeff Layton over 5 years ago
It fell down on the truncate. The setattr mask shows CEPH_SETATTR_MTIME and CEPH_SETATTR_SIZE. I suspect this check in may_setattr is wrong, but I'll need to go over the logic in detail to determine why.
if (mask & (CEPH_SETATTR_CTIME | CEPH_SETATTR_BTIME | CEPH_SETATTR_MTIME | CEPH_SETATTR_ATIME)) { if (perms.uid() != 0 && perms.uid() != in->uid) { int check_mask = CEPH_SETATTR_CTIME | CEPH_SETATTR_BTIME; if (!(mask & CEPH_SETATTR_MTIME_NOW)) check_mask |= CEPH_SETATTR_MTIME; if (!(mask & CEPH_SETATTR_ATIME_NOW)) check_mask |= CEPH_SETATTR_ATIME; if (check_mask & mask) { goto out; } else { r = inode_permission(in, perms, MAY_WRITE); if (r < 0) goto out; } } }
Updated by Jeff Layton over 5 years ago
I take it back. The check is correct. What's happening is that ganesha is just calling CEPH_SETATTR_MTIME with the current time and that is causing the check to fail. What we probably need to do is expose the CEPH_SETATTR_MTIME_NOW in the header file and then have ganesha use it (ditto with the ATIME one).
Updated by shangzhong zhu over 5 years ago
Updated by shangzhong zhu over 5 years ago
Patch for nfs-ganesha submitted:
Updated by Patrick Donnelly over 5 years ago
- Status changed from New to Fix Under Review
- Assignee changed from Jeff Layton to shangzhong zhu
- Target version set to v14.0.0
- Source set to Community (dev)
- Backport set to mimic,luminous
- ceph-qa-suite deleted (
fs) - Component(FS) deleted (
Client, Ganesha FSAL)
Updated by Patrick Donnelly over 5 years ago
- Status changed from Fix Under Review to Pending Backport
Updated by Nathan Cutler over 5 years ago
- Copied to Backport #36205: mimic: nfs-ganesha: ceph_fsal_setattr2 returned Operation not permitted added
Updated by Nathan Cutler over 5 years ago
- Copied to Backport #36206: luminous: nfs-ganesha: ceph_fsal_setattr2 returned Operation not permitted added
Updated by Patrick Donnelly over 5 years ago
- Status changed from Pending Backport to Resolved