Ubuntu
linux package

posix acl permissions evaluated wrongly with null mask

Bug #1081502 reported by Andras Bendzsak
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
linux (Debian)
New
Undecided
Unassigned
linux (Ubuntu)
Incomplete
Medium
Unassigned

Bug Description

Hi!

According to my experience the Linux Kernel Access Control evaluate wrongly the POSIX ACL-s when a mask is null (mask::---)

Let's see an example:
root@bar:~# getfacl /tmp/test
getfacl: Removing leading '/' from absolute path names
# file: tmp/test
# owner: root
# group: root
user::rw-
user:foo:---
group::r-- #effective:---
mask::---
          ^^^^^
other::r--

As we can see the foo user hasn't got any rights on the test file and a mask is zero.
Let's try to read the file as the foo user:
foo@bar:~$ cat /tmp/test
FOOBAR
foo@bar:~$

Success.

According to the documentation (man acl) user foo cannot access the file:
" 2. else if the effective user ID of the process matches the qualifier of any entry of type ACL_USER, then
              if the matching ACL_USER entry and the ACL_MASK entry contain the requested permissions, access is granted,
              else access is denied."

If I change the the mask entry to something else:
root@bar:~# getfacl /tmp/test
getfacl: Removing leading '/' from absolute path names
# file: tmp/test
# owner: root
# group: root
user::rw-
user:foo:---
group::r-- #effective:---
mask::-w-
          ^^^^^^
other::r--

the foo user cannot read the file:
foo@bar:~$ cat /tmp/test
cat: /tmp/test: Permission denied

I tested with ext4 and tmpfs with the same result. I also tested on a Solaris 9 machine where the permissions work as expected.

System info:
Description: Ubuntu 12.04.1 LTS
Release: 12.04

acl:
  Installed: 2.2.51-5ubuntu1
  Candidate: 2.2.51-5ubuntu1
  Version table:
 *** 2.2.51-5ubuntu1 0
        500 http://hu.archive.ubuntu.com/ubuntu/ precise/main i386 Packages
        100 /var/lib/dpkg/status

Linux bar 3.2.0-29-generic-pae #46-Ubuntu SMP Fri Jul 27 17:25:43 UTC 2012 i686 i686 i386 GNU/Linux

Thank you for your time and I hope you can find the source of this issue.
---
ApportVersion: 2.0.1-0ubuntu13
Architecture: i386
DistroRelease: Ubuntu 12.04
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release i386 (20120423)
Package: linux
PackageArchitecture: i386
ProcVersionSignature: Ubuntu 3.2.0-29.46-generic-pae 3.2.24
Tags: precise
Uname: Linux 3.2.0-29-generic-pae i686
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo

See original description
Andras Bendzsak (benjoe)
summary: - posix acl is evaluated wrong null mask
+ posix acl permissions evaluated wrongly with null mask
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in acl (Ubuntu):
status: New → Confirmed
Revision history for this message
András Korn (kornandras) wrote :

FWIW, the bug is also present in vanilla kernel 3.5.7. It's a bug in the kernel, not the ACL package (unless the kernel's behaviour is "correct", in which case the ACL documentation must be amended).

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in linux (Ubuntu):
status: New → Confirmed
András Korn (kornandras)
affects: linux-kernel (Ubuntu) → linux (Ubuntu)
Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1081502

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
tags: added: precise
Revision history for this message
Andras Bendzsak (benjoe) wrote : Dependencies.txt

apport information

tags: added: apport-collected
description: updated
Revision history for this message
Andras Bendzsak (benjoe) wrote : ProcEnviron.txt

apport information

Revision history for this message
Andras Bendzsak (benjoe) wrote :

I've attached the missing logs.

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Joseph Salisbury (jsalisbury) wrote :

Would it be possible for you to test the latest upstream kernel? Refer to https://wiki.ubuntu.com/KernelMainlineBuilds . Please test the latest v3.7 kernel[0] (Not a kernel in the daily directory) and install both the linux-image and linux-image-extra .deb packages.

If this bug is fixed in the mainline kernel, please add the following tag 'kernel-fixed-upstream'.

If the mainline kernel does not fix this bug, please add the tag: 'kernel-bug-exists-upstream'.

If you are unable to test the mainline kernel, for example it will not boot, please add the tag: 'kernel-unable-to-test-upstream'.
Once testing of the upstream kernel is complete, please mark this bug as "Confirmed".

Thanks in advance.

[0] http://kernel.ubuntu.com/~kernel-ppa/mainline/v3.7-rc6-raring/

Changed in linux (Ubuntu):
importance: Undecided → Medium
status: Confirmed → Incomplete
Revision history for this message
Andras Bendzsak (benjoe) wrote :

The bug still exists in the latest mainline kernel.

tags: added: kernel-bug-exists-upstream
no longer affects: acl (Ubuntu)
Changed in linux (Ubuntu):
status: Incomplete → Opinion
status: Opinion → Confirmed
Revision history for this message
penalvch (penalvch) wrote :

András Korn, this bug was reported a while ago and there hasn't been any activity in it recently. We were wondering if this is still an issue? If so, could you please test for this with the latest development release of Ubuntu? ISO images are available from http://cdimage.ubuntu.com/daily-live/current/ .

If it remains an issue, could you please run the following command in the development release from a Terminal (Applications->Accessories->Terminal), as it will automatically gather and attach updated debug information to this report:

apport-collect -p linux <replace-with-bug-number>

If reproducible, could you also please test the latest upstream kernel available (not the daily folder) following https://wiki.ubuntu.com/KernelMainlineBuilds ? It will allow additional upstream developers to examine the issue. Once you've tested the upstream kernel, please comment on which kernel version specifically you tested. If this bug is fixed in the mainline kernel, please add the following tags:
kernel-fixed-upstream
kernel-fixed-upstream-VERSION-NUMBER

where VERSION-NUMBER is the version number of the kernel you tested. For example:
kernel-fixed-upstream-v3.13-rc6

This can be done by clicking on the yellow circle with a black pencil icon next to the word Tags located at the bottom of the bug description. As well, please remove the tag:
needs-upstream-testing

If the mainline kernel does not fix this bug, please add the following tags:
kernel-bug-exists-upstream
kernel-bug-exists-upstream-VERSION-NUMBER

As well, please remove the tag:
needs-upstream-testing

Once testing of the upstream kernel is complete, please mark this bug's Status as Confirmed. Please let us know your results. Thank you for your understanding.

Changed in linux (Ubuntu):
status: Confirmed → Incomplete
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.