Project

General

Profile

Bug #12617

Missing handling of supplementary groups in ceph-fuse -> rendering it useless for shared environments

Added by Burkhard Linke over 7 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
-
Target version:
-
% Done:

0%

Source:
other
Tags:
Backport:
Regression:
No
Severity:
2 - major
Reviewed:
Affected Versions:
ceph-qa-suite:
fs
Component(FS):
Labels (FS):
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

During investigating a user's bug report I've stumbled accross

https://github.com/ceph/ceph/blob/master/src/client/fuse_ll.cc#L981

ceph-fuse does not handle supplementary user groups AT ALL.

This is a SHOW STOPPER for everyone trying to use ceph-fuse in a multi user shared environment.

Since the callback is only used in Client::check_permissions (https://github.com/ceph/ceph/blob/master/src/client/Client.cc#L4546), the fix would be trivial:

Release the memory allocated for the group list in the callback.

Client.cc.diff View (1.88 KB) Burkhard Linke, 08/05/2015 02:27 PM

Associated revisions

Revision 51aae7b5 (diff)
Added by Yan, Zheng over 7 years ago

client: ignore permission check when fuse_default_permissions is on

When fuse_default_permissions is on, linux kernel does permission check.
So there is no need to do extra permission check in ceph-fuse. permission
check code in ceph-fuse has a problem, it does not handle supplementary
user at all (Client::check_permissions() may return -EACCESS in the case
it should return 0).

Fixes: #12617
Signed-off-by: Yan, Zheng <>

History

#1 Updated by Zheng Yan over 7 years ago

I checked the kernel code, It seem that kernel also does the permission check. can we just remove the permission in ceph-fuse

#2 Updated by Zheng Yan over 7 years ago

  • Status changed from New to Fix Under Review

#3 Updated by Burkhard Linke over 7 years ago

The following patch adds correct supplementary group retrieval:

If no callback is defined, the getgrouplist() function is used to get a list of supplementary groups for the current uid.

The patch is not complete; it does not contain the necessary functionality to check for the availability of the getgrouplist() function. This has to be done in autoconf/cmake.

#4 Updated by Sage Weil over 7 years ago

see #3301, and commit:328bf482349485b90911fe8953d8ce5f0769c69e for when this was introduced... hopefully we aren't re-breaking it?

#5 Updated by Zheng Yan over 7 years ago

Burkhard Linke wrote:

The following patch adds correct supplementary group retrieval:

If no callback is defined, the getgrouplist() function is used to get a list of supplementary groups for the current uid.

The patch is not complete; it does not contain the necessary functionality to check for the availability of the getgrouplist() function. This has to be done in autoconf/cmake.

the patch looks good, please complete it and send a pull request

#6 Updated by John Spray over 7 years ago

Do we need the Client.cc patch here, or just the pull request (https://github.com/ceph/ceph/pull/5480), or both?

#7 Updated by Zheng Yan over 7 years ago

ignore client check patch makes ceph-fuse work, the get_grouplist patch makes programs that directly use libcephfs work. It's better to merge both

#8 Updated by Zheng Yan over 7 years ago

  • Status changed from Fix Under Review to Resolved

Also available in: Atom PDF