Project

General

Profile

Bug #57084

Permissions of the .snap directory do not inherit ACLs

Added by Robert Sander 4 months ago. Updated about 1 month ago.

Status:
Pending Backport
Priority:
Normal
Assignee:
Category:
Administration/Usability
Target version:
% Done:

0%

Source:
Tags:
backport_processed
Backport:
pacific,quincy
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Component(FS):
MDS
Labels (FS):
snapshots
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

when using CephFS with POSIX ACLs I noticed that the .snap directory does not inherit the ACLs from its parent but only the standard UNIX permissions.

This results in a permission denied error when users want to access snapshots in that directory because they are not the owner or in the group. They do have access to the directory via a group that is listed in the POSIX ACLs.

To reproduce:

mounted CephFS on /mnt/cephfs

# mkdir /mnt/cephfs/test

# chmod 0750 /mnt/cephfs/test

# ls -ld /mnt/cephfs/test
drwxr-x--- 2 root root 0 Aug 10 09:31 /mnt/cephfs/test/

# setfacl -m g:users:rwx /mnt/cephfs/test

# getfacl /mnt/cephfs/test
getfacl: Removing leading '/' from absolute path names
# file: mnt/cephfs/test
# owner: root
# group: root
user::rwx
group::r-x
group:users:rwx
mask::rwx
other::---

# mkdir /mnt/cephfs/test/.snap/snap01

# ls -la /mnt/cephfs/test/.snap
total 0
drwxrwx---  2 root root 0 Aug 10 09:31 ./
drwxrwx---+ 2 root root 0 Aug 10 09:31 ../
drwxrwx---+ 2 root root 0 Aug 10 09:31 snap01/

# getfacl /mnt/cephfs/test/.snap
getfacl: Removing leading '/' from absolute path names
# file: mnt/cephfs/test/.snap
# owner: root
# group: root
user::rwx
group::rwx
other::---

# getfacl /mnt/cephfs/test/.snap/snap01
getfacl: Removing leading '/' from absolute path names
# file: mnt/cephfs/test/.snap/snap01
# owner: root
# group: root
user::rwx
group::r-x
group:users:rwx
mask::rwx
other::---

Result: Members of the group "users" do not have access to the snapshots because the .snap directory does not carry the ACLs.

Should be: Members of the group "users" have access to the snapshots.


Related issues

Copied to CephFS - Backport #57874: quincy: Permissions of the .snap directory do not inherit ACLs In Progress
Copied to CephFS - Backport #57875: pacific: Permissions of the .snap directory do not inherit ACLs In Progress

History

#1 Updated by Venky Shankar 3 months ago

  • Category set to Administration/Usability
  • Status changed from New to Triaged
  • Assignee set to Venky Shankar
  • Target version set to v18.0.0
  • Backport set to pacific,quincy
  • Component(FS) deleted (Common/Protocol)

#2 Updated by Venky Shankar 3 months ago

Thanks for the detailed report, Robert. This sounds like a bug.

Is this the user-space or the kernel client?

#3 Updated by Robert Sander 3 months ago

Venky Shankar wrote:

Is this the user-space or the kernel client?

It happens with kernel 5.15 and ceph-fuse 17.2.0. The test system is Ubuntu 22.04 jammy.

#4 Updated by Venky Shankar 2 months ago

  • Status changed from Triaged to Fix Under Review
  • Pull request ID set to 48086

#5 Updated by Ramana Raja 2 months ago

  • Description updated (diff)

#6 Updated by Venky Shankar about 1 month ago

  • Status changed from Fix Under Review to Resolved

#7 Updated by Venky Shankar about 1 month ago

  • Status changed from Resolved to Pending Backport

#8 Updated by Backport Bot about 1 month ago

  • Copied to Backport #57874: quincy: Permissions of the .snap directory do not inherit ACLs added

#9 Updated by Backport Bot about 1 month ago

  • Copied to Backport #57875: pacific: Permissions of the .snap directory do not inherit ACLs added

#10 Updated by Backport Bot about 1 month ago

  • Tags set to backport_processed

Also available in: Atom PDF