Package: nautilus Version: 3.26.3.1-1 Severity: normal Dear Maintainer,
The 3.22.3-1+deb9u1 security update from stretch-security cause some regression. This bug report was made from a Debian sid computer but the bug also appear in stable. On my network I have a directory tree exported with NFSv4 using referrals. For example the exported path : /dnfs/shares Contain two referrals that redirect to some other path : /dnfs/shares/Ressources /dnfs/shares/Base As this is a high school network, I have a users group "teachers" that have RWX access on both using ACLs. The teachers group is not present in standand user/group permissions. So here the steps that lead to the bug. Say I'm a teacher user : 1) At start gio don't detect any WRITE access to the referrals. But maybe this is normal. ~$ gio test /dnfs/shares/Ressources nom d'affichage : Ressource nom d'édition : Ressource nom : Ressource type : directory taille : 4096 uri : file:///dnfs/shares/Ressources attributs : standard::type: 2 standard::name: Ressource standard::display-name: Ressource standard::edit-name: Ressource standard::copy-name: Ressource standard::icon: folder standard::content-type: inode/directory standard::fast-content-type: inode/directory standard::size: 4096 standard::allocated-size: 4096 standard::symbolic-icon: folder-symbolic, folder etag::value: 1538394987:592109 id::file: l38:1839867 id::filesystem: l38 access::can-read: FALSE access::can-write: FALSE access::can-execute: FALSE access::can-delete: FALSE access::can-trash: FALSE access::can-rename: FALSE time::modified: 1538394987 time::modified-usec: 592109 time::access: 1538395042 time::access-usec: 749090 time::changed: 1538394987 time::changed-usec: 592109 unix::device: 38 unix::inode: 1839867 unix::mode: 17400 unix::nlink: 3 unix::uid: 0 unix::gid: 5000006 unix::rdev: 0 unix::block-size: 32768 unix::blocks: 8 owner::user: root owner::user-real: root owner::group: 2de9 2) Next, when I enter the parent /dnfs/shares folder, the two NFS referrals are mounted. They appear on the Nautilus left panel. This is a strange behaviour because from terminal the referrals are only mounted when you enter them. Now gio seems to detect the WRITE access and a new line at the end seems to show that nautilus have read the NFSv4 acls. Note that the inode is also updated : ~$ gio test /dnfs/shares/Ressources nom d'affichage : Ressource nom d'édition : Ressource nom : Ressource type : directory taille : 4096 uri : file:///dnfs/shares/Ressources attributs : standard::type: 2 standard::name: Ressource standard::display-name: Ressource standard::edit-name: Ressource standard::copy-name: Ressource standard::icon: folder standard::content-type: inode/directory standard::fast-content-type: inode/directory standard::size: 4096 standard::allocated-size: 4096 standard::symbolic-icon: folder-symbolic, folder etag::value: 1538394987:592109 id::file: l37:23199783 id::filesystem: l37 access::can-read: TRUE access::can-write: TRUE access::can-execute: TRUE access::can-delete: FALSE access::can-trash: FALSE access::can-rename: FALSE time::modified: 1538394987 time::modified-usec: 592109 time::access: 1538395042 time::access-usec: 749090 time::changed: 1538394987 time::changed-usec: 592109 unix::device: 37 unix::inode: 23199783 unix::mode: 17400 unix::nlink: 3 unix::uid: 0 unix::gid: 5000006 unix::rdev: 0 unix::block-size: 32768 unix::blocks: 8 unix::is-mountpoint: TRUE owner::user: root owner::user-real: root owner::group: 2de9 xattr-sys::system.nfs4_acl: 3) From now, the "gio test" result will not change. Nautilus display crosses on the "Ressources" and "Base" folders as I don't have the permission to enter them. But technically I can. And this is disappointing for my teachers users. 4) The real problem come when the teacher want to create a directory inside the "Ressources" folder. The "New Folder" option stay in grey. Before the CVE-2017-14604 path. Clicking on the grey option works. But now nothing is happening. The user can't create the directory. To workaround the problem there is three possibilies : -> I can press F5 inside the "Ressource" folder. -> If I press F5 before entering the "Ressource" folder the crosses disappears on the referrals. And when I enter the "Ressource" folder I can create directories inside it. -> If from any manner I go a second time inside the parent "shares" folder. The crosses disappears and I can create directories inside the "Ressource" folder. It's seems that Nautilus rightly handle the permission even with nfs4 ACLs. But they are not updated on the right time. Maybe because of the inode change ? Regards, Baptiste. -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.16.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages nautilus depends on: ii desktop-file-utils 0.23-3 ii gsettings-desktop-schemas 3.28.0-1 ii gvfs 1.36.1-1 ii libatk1.0-0 2.28.1-1 ii libc6 2.27-5 ii libcairo-gobject2 1.15.12-1 ii libcairo2 1.15.12-1 ii libexempi3 2.4.5-2 ii libexif12 0.6.21-5 ii libgail-3-0 3.22.30-2 ii libgdk-pixbuf2.0-0 2.36.12-2 ii libglib2.0-0 2.56.1-2 ii libglib2.0-data 2.56.1-2 ii libgnome-autoar-0-0 0.2.3-1 ii libgnome-desktop-3-17 3.28.2-2 ii libgtk-3-0 3.22.30-2 ii libnautilus-extension1a 3.26.3.1-1 ii libpango-1.0-0 1.42.4-1 ii libpangocairo-1.0-0 1.42.4-1 ii libselinux1 2.8-1+b1 ii libtracker-sparql-2.0-0 2.0.3-3 ii libx11-6 2:1.6.6-1 ii nautilus-data 3.26.3.1-1 ii shared-mime-info 1.9-2 Versions of packages nautilus recommends: ii gnome-sushi 3.28.3-1 ii gvfs-backends 1.36.1-1 ii librsvg2-common 2.40.20-2 Versions of packages nautilus suggests: ii eog 3.28.3-1 ii evince [pdf-viewer] 3.28.2-1 ii nautilus-extension-brasero 3.12.2-4 ii nautilus-sendto 3.8.6-2 ii totem 3.26.2-1 ii tracker 2.0.3-3 ii xdg-user-dirs 0.17-1 -- no debconf information

