Re: BUG on permission check with ACLs : possible to disable it ?
- From: Prunk Dump <prunkdump gmail com>
- To: nautilus-list gnome org
- Subject: Re: BUG on permission check with ACLs : possible to disable it ?
- Date: Mon, 1 Oct 2018 17:08:52 +0200
Thanks you very much for your help !
First, a little question. Since I encounter this bug in Debian
Stretch, and as the bug behavior slightly change since the last Debian
stable security update ( see CVE-2017-14604 ). Do you think it's
better to report the bug on Debian's BTS first ?
Next I investigated further following you advice. Just to simplify. Say :
-> /dns/parent is a parent directory
-> It contain two folders : "Share" and "Ressource" that are NFSv4 referrals
-> The "teachers" group have RWX access on both with ALCs. But the
teacher group is not present in the standard posix permissions.
Say I'm a teacher.
1) At start "gio info" say that I don't have write access to "Ressource"
nom d'affichage : Ressource
nom d'édition : Ressource
nom : Ressource
type : directory
taille : 4096
uri : file:///dnfs/parent/Ressource
attributs :
standard::type: 2
standard::name: Ressource
standard::display-name: Ressource
standard::edit-name: Ressource
standard::copy-name: Ressource
standard::icon: folder
standard::content-type: inode/directory
standard::fast-content-type: inode/directory
standard::size: 4096
standard::allocated-size: 4096
standard::symbolic-icon: folder-symbolic, folder
etag::value: 1538394987:592109
id::file: l38:1839867
id::filesystem: l38
access::can-read: FALSE
access::can-write: FALSE
access::can-execute: FALSE
access::can-delete: FALSE
access::can-trash: FALSE
access::can-rename: FALSE
time::modified: 1538394987
time::modified-usec: 592109
time::access: 1538395042
time::access-usec: 749090
time::changed: 1538394987
time::changed-usec: 592109
unix::device: 38
unix::inode: 1839867
unix::mode: 17400
unix::nlink: 3
unix::uid: 0
unix::gid: 5000006
unix::rdev: 0
unix::block-size: 32768
unix::blocks: 8
owner::user: root
owner::user-real: root
owner::group: 2de9
2) When I traverse inside /dns/parent with Nautilus. It do some sort
of file request as the two NFS referrals are mounted ( normally, from
terminal, they are mounted only when you enter them ). There is two
cross displayed on each folder like as I can't enter them. But "gio
test" give now that I have RWX access ! And a new line at the end
seems to show that Nautilus support NFSv4 ACLs ! Stunning ! I don't
know this feature !
nom d'affichage : Ressource
nom d'édition : Ressource
nom : Ressource
type : directory
taille : 4096
uri : file:///dnfs/parent/Ressource
attributs :
standard::type: 2
standard::name: Ressource
standard::display-name: Ressource
standard::edit-name: Ressource
standard::copy-name: Ressource
standard::icon: folder
standard::content-type: inode/directory
standard::fast-content-type: inode/directory
standard::size: 4096
standard::allocated-size: 4096
standard::symbolic-icon: folder-symbolic, folder
etag::value: 1538394987:592109
id::file: l37:23199783
id::filesystem: l37
access::can-read: TRUE
access::can-write: TRUE
access::can-execute: TRUE
access::can-delete: FALSE
access::can-trash: FALSE
access::can-rename: FALSE
time::modified: 1538394987
time::modified-usec: 592109
time::access: 1538395042
time::access-usec: 749090
time::changed: 1538394987
time::changed-usec: 592109
unix::device: 37
unix::inode: 23199783
unix::mode: 17400
unix::nlink: 3
unix::uid: 0
unix::gid: 5000006
unix::rdev: 0
unix::block-size: 32768
unix::blocks: 8
unix::is-mountpoint: TRUE
owner::user: root
owner::user-real: root
owner::group: 2de9
xattr-sys::system.nfs4_acl:
3) From there. The output of "gio test" will not change. I can enter
the "Ressource" directory ( even with the cross ) but inside I can't
create directories.
4) To solve the problem I have three possibilities :
-> I can press F5 inside the "Ressource" folder.
-> If I press F5 before entering the "Ressource" folder the crosses
disappears. And when I enter the "Ressource" folder I can create
directories inside it.
-> If from any manner I go a second time inside the "Parent" folder.
The crosses disappears and I can create directories inside the
"Ressource" folder.
It's seems that Nautilus rightly handle the rights even with nfs4
ACLs. But they are not updated on the right time.
Thanks again ! This problem is very disappointing for my teachers.
Baptiste.
Le lun. 1 oct. 2018 à 15:46, António Fernandes
<antoniojpfernandes gmail com> a écrit :
Hello.
Since this sounds like a bug, can you file it at our issue tracker as well?
https://gitlab.gnome.org/GNOME/nautilus/issues/new?issuable_template=Bug
You can check what the following command reports the first time, and if there is any change after that:
gio info /dnfs/shares/teachers/class1
In particular, look for the "access::can-write" attribute and confirm if it says "TRUE" or "FALSE".
But if the user traverse the directories again. Starting from "/dnfs"
to "/dnfs/shares/teachers/class1" now it can create directories !!!
Does it also work if the user refreshes the view (pressing [F5])? Or is traversing the directory starting
from /dnfs a requirement?
Prunk Dump via nautilus-list <nautilus-list gnome org> escreveu no dia segunda, 1/10/2018 às 14:02:
Hello Gnome Nautilus Team !
I'm a high school network administrator and I'm face to a new bug
since an update of nautilus in Debian Stretch. Maybe you can help me
to correct it or to find a workaround.
The simple explanation :
------------------------------------
I export the users files using an NFSv4 server. Some directories have
some specific ACLs that are not displayed on the client side. This is
normal. Actually the ACLs are not displayed through NFS. For example
on the client :
# ls -al /dnfs/shares/teachers/class1
drwxrwx--T 3 root class1 4096 oct. 1 13:56 Ressource
This folder have a special ACL that let RWX access to the "teachers"
group. But we can't see it on the clients. The is no "+" on the result
of the ls command.
So Nautilus show a cross on the folder. But the teacher can enter
inside it. So this is not a big problem. Just a little disappointing
for the teacher.
The real problem come when the teacher want to create a directory
inside it. This time the "New directory" choice is Grey. The teacher
can't click on it.
Si is there a way to disable the permission check on Nautilus ?
The more in depth explanation :
---------------------------------------------
The bug is more complex in reality. I use NFSv4 referrals on my
network. This mean that when the user enter the folder :
/dnfs/shares/teachers/class1
This create a mount point over "/dnfs/shares/teachers/class1". And the
mount point appear on the Nautilus left panel.
The teacher can't create directories inside it.
But if the user traverse the directories again. Starting from "/dnfs"
to "/dnfs/shares/teachers/class1" now it can create directories !!!
It just don't works the first time. The user need to enter the
"class1" folder a second time.
So I don't know how nautilus check permissions. Because this time
there is still no information on the client side about the teacher's
ACL. But in this case the Nautilus "New folder" is not Grey. And the
user can create directories. I can't understand why Nautilus decide to
active the "New Folder" choice this time.
Before the update. The "New folder" was still Grey. But if the teacher
click on it the directory was created anyway.
An idea from where come this bug ?
Regards,
Baptiste.
--
nautilus-list mailing list
nautilus-list gnome org
https://mail.gnome.org/mailman/listinfo/nautilus-list
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
