Re: [Nfs-ganesha-devel] ACE permission check

Fri, 25 May 2018 07:48:39 -0700 

This list has been deprecated. Please subscribe to the new devel list at 
lists.nfs-ganesha.org.
So, the access check is, of course, advisory to the client. It doesn't have to make one at all, but can just issue the rename, and expect it to succeed or fail based on permissions. I'm not sure why the client does an access and then still does a rename, but it ultimately doesn't matter, I think. 


We don't do an extra access check in the rename path, because it could 
race with a permissions change anyway.  Instead, we rely on the FSAL's 
rename() call to properly enforce permissions.  This is the way many 
calls work in the FSAL API, to avoid those races.



Does your rename() call not enforce permissions?  Or did it somehow 
succeed in spite of that?  Were the wrong creds passed in?


Daniel

On 05/25/2018 07:36 AM, Sagar M D wrote:

This list has been deprecated. Please subscribe to the new devel list at 
lists.nfs-ganesha.org.



Hi,


By looking at nfs-Ganesha code, permission check (ACL) happens 
access_check.c. Our FSAL (not in tree FSAL), storing and serving the 
ACLs to Ganesha.


I see an issue with rename:

Even though i set deny ACE for "delete child" on folder1 for user1. 
user1 is able to rename file belongs to user2.


I see below RPC:-
ACCESS request folder1
ACCESS denied (as expected.) (denied for DELETE_CHILD permission)
Rename request
Rename succeed


I'm not sure why client is sending rename even after receiving  ACCESS 
Denied.


Native nfs denies rename though.

Any help is appreciated here.

Thanks,
Sagar.




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot



_______________________________________________
Nfs-ganesha-devel mailing list
Nfs-ganesha-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs-ganesha-devel




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Nfs-ganesha-devel mailing list
Nfs-ganesha-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs-ganesha-devel






















					Reply via email to