On Tue, Oct 13, 2015 at 8:21 AM, Sander Smeenk <ssmeenk@xxxxxxxxxxxx> wrote: > Hi, > > I'm struggling with a permission issue involving NFS-mounted storage and > a certain set of capabilities set by cap_set_flags(). The behaviour > differs for local storage versus NFS mounted storage. > > I have this structure on local storage (spinning disks): > | # namei -l /opt/home/sites/t/test/dir/structure/.htaccess > | f: /opt/home/sites/t/test/dir/structure/.htaccess > | drwxr-xr-x root root / > | drwxr-xr-x root root opt > | drwxr-x--x root root home > | drwx--x--x root root sites > | drwx--x--x root root t > | drwx------ http-test http-linux_http-test test > | drwx--x--x http-test http-linux_http-test dir > | drwx------ http-test http-linux_http-test structure > | -rw------- http-test http-linux_http-test .htaccess > > And this same structure on NFS-mounted storage: > | # namei -l /mnt/home/sites/t/test/dir/structure/.htaccess > | f: /mnt/home/sites/t/test/dir/structure/.htaccess > | drwxr-xr-x root root / > | drwxr-xr-x root root mnt > | drwxr-x--x root root home > | drwx--x--x root root sites > | drwx--x--x root root t > | drwx------ http-test http-linux_http-test test > | drwx--x--x http-test http-linux_http-test dir > | drwx------ http-test http-linux_http-test structure > | -rw------- http-test http-linux_http-test .htaccess > > The NFS server is a NetApp filer (-sec=sys,rw=clientip,root=clientip). > I tried this with a Linux server too (rw,no_root_squash,no_subtree_check). > The client is always a Linux machine (rw,vers=3,tcp,bg). > > I made a little C program to illustrate the issue. It drops privileges > to www-data and tries to access the file specified with a certain set of > capabilties[*]. > > This works for local storage, fails on NFS: > > LOCAL: > | # ./capset /opt/home/sites/t/test/dir/structure/.htaccess > | euid:33 uid:33 egid:33 gid:33 > | Process capabilities: = cap_dac_read_search,cap_setgid,cap_setuid,cap_sys_nice+ep; > | Access: success! > > NFS: > | # ./capset /mnt/home/sites/t/test/dir/structure/.htaccess > | euid:33 uid:33 egid:33 gid:33 > | Process capabilities: = cap_dac_read_search,cap_setgid,cap_setuid,cap_sys_nice+ep; > | Access: error (13): Permission denied > > The source for capset can be seen pasted at https://8n1.org/10831/12f0 > Lines >=42 > > I've experimented with different capabilties, but CAP_DAC_OVERRIDE is > not enough. I'd very much like to hear if it is possible for this to > work on NFS like it does on local storage. This will not work on NFS. The server, which enforces permissions, has no way to know what capabilities your process has on the client. Cheers Trond -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
