[jira] [Commented] (HDFS-13038) User with no permission on file is able to run getfacl for that file

Mon, 22 Jan 2018 07:32:20 -0800 

    [ 
https://issues.apache.org/jira/browse/HDFS-13038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16334406#comment-16334406
 ] 

Daryn Sharp commented on HDFS-13038:
------------------------------------

Don't agree with the patch.  There's no formal posix spec for acls.  This 
patches appears even more restrictive than linux by requiring path read access 
instead of possibly parent read access.  Linux docs for getfacl state:
{panel:title=PERMISSIONS}
Process with search access to a file (i.e., processes with read access to the 
containing directory of a file) are also granted read access to the file's 
ACLs. This is analogous to the permissions required for accessing the file mode.
{panel}

This is confusing at best. It implies parent "search access" equals "read 
access".  "Search access" means execute bit regardless of read bit – which is 
what hdfs enforces today.  Please test how linux actually works and I'll verify 
when time permits.

> User with no permission on file is able to run getfacl for that file
> --------------------------------------------------------------------
>
>                 Key: HDFS-13038
>                 URL: https://issues.apache.org/jira/browse/HDFS-13038
>             Project: Hadoop HDFS
>          Issue Type: Bug
>            Reporter: Namit Maheshwari
>            Assignee: Lokesh Jain
>            Priority: Major
>         Attachments: HDFS-13038.001.patch
>
>
> Currently any user with EXECUTE permission can run getfacl on a file or 
> directory. This Jira adds a check for READ access of user on the inode path. 
> {code:java}
> [root@host ~]$ hdfs dfs -copyFromLocal /etc/a.txt /tmp
> [root@host ~]$ hdfs dfs -setfacl -m user:abc:--- /tmp/a.txt
> {code}
> Since user abc does not have read permission on the file 'cat' command throws 
> Permission Denied error but getfacl executes normally.
> {code:java}
> [abc@host ~]$ hdfs dfs -cat /tmp/a.txt
> cat: Permission denied: user=abc, access=READ, 
> inode="/tmp/a.txt":abc:hdfs:-rw-r--r-- 
> [abc@host ~]$ hdfs dfs -getfacl /tmp/a.txt 
> # file: /tmp/a.txt 
> # owner:root 
> # group: hdfs 
> user::rw- 
> user:abc:--- 
> group::r-- 
> mask::r-- 
> other::r--
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to