Created attachment 10182 [details] pcap file,output and strace of iozone. I was testing iozone utility on Linux cifs mount with Windows 2012R2 server for interoperability and ran into strange issue. This utility creates a temporary file with permissions "r-xr-xr-x" but it was supposed to be "-rw-r-----". In the strace I found "open("iozone.tmp", O_WRONLY|O_CREAT, 0) = -1 EACCES (Permission denied)" and in the packet captured while creating a file with an open syscall using the following c program: int main(void) { int fd; ssize_t sz; fd = open("/W12R2share/file112", O_WRONLY | O_CREAT, 0); close(fd); } found "DesiredAccess: 0x40000080" (ReadAttributes: (........................1.......) Set FILE_READ_ATTRIBUTES (all)) and "FSCCFileAttribute: 1 (0x1)" (ReadOnly: (...............................1) Read Only). Please find the attached pcap file, output and strace of iozone.
In the test case I see an attempt to create a file with mode "0" which will in fact create a file which can't be accessed by a non root user, including the creator. Is this what you really want? It is supposed to return access denied when run by non-root I ran this minor variation as a test (locally and remote, both failed, except as root) include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <errno.h> int main(void) { int fd; ssize_t sz; printf("attempt to open /W12R2share/file112\n"); fd = open("/W12R2share/file112", O_WRONLY | O_CREAT, 0); if (fd < 0) printf("error %d errno: %d opening file\n", fd, errno); else { printf("success\n"); close(fd); } }
(In reply to comment #0) > Created attachment 10182 [details] > pcap file,output and strace of iozone. > > I was testing iozone utility on Linux cifs mount with Windows 2012R2 server for > interoperability and ran into strange issue. This utility creates a temporary > file with permissions "r-xr-xr-x" but it was supposed to be "-rw-r-----". In > the strace I found "open("iozone.tmp", O_WRONLY|O_CREAT, 0) = -1 EACCES > (Permission denied)" and in the packet captured while creating a file with an > open syscall using the following c program: > int main(void) { > int fd; > ssize_t sz; > > fd = open("/W12R2share/file112", O_WRONLY | O_CREAT, 0); > close(fd); > } > found "DesiredAccess: 0x40000080" (ReadAttributes: > (........................1.......) Set FILE_READ_ATTRIBUTES (all)) and > "FSCCFileAttribute: 1 (0x1)" (ReadOnly: > (...............................1) Read Only). > Please find the attached pcap file, output and strace of iozone. Sorry about "open("iozone.tmp", O_WRONLY|O_CREAT, 0) = -1 EACCES (Permission denied)" I was rerunning the open() before deleting the "iozone.tmp" file created in the last run of Iozone. Actually we are getting the same error at later stage: open("iozone.tmp", O_WRONLY|O_CREAT, 0) = 3 stat("iozone.tmp", {st_mode=S_IFREG|0555, st_size=0, ...}) = 0 ftruncate(3, 0) = 0 close(3) = 0 stat("iozone.tmp", {st_mode=S_IFREG|0555, st_size=0, ...}) = 0 unlink("iozone.tmp") = -1 EIO (Input/output error) creat("iozone.tmp", 0640) = -1 EACCES (Permission denied) write(1, "\nCan not create temp file: iozon"..., 38) = 38
(In reply to comment #1) > In the test case I see an attempt to create a file with mode "0" which will in > fact create a file which can't be accessed by a non root user, including the > creator. Is this what you really want? It is supposed to return access denied > when run by non-root > > I ran this minor variation as a test (locally and remote, both failed, except > as root) > > include <stdio.h> > #include <stdlib.h> > #include <sys/types.h> > #include <sys/stat.h> > #include <fcntl.h> > #include <errno.h> > > int main(void) { > int fd; > ssize_t sz; > > printf("attempt to open /W12R2share/file112\n"); > fd = open("/W12R2share/file112", O_WRONLY | O_CREAT, 0); > if (fd < 0) > printf("error %d errno: %d opening file\n", fd, errno); > else { > printf("success\n"); > close(fd); > } > } I saw non root user throws error to call open() ("open("/W12R2share/file112", O_WRONLY|O_CREAT, 0) = -1 EACCES (Permission denied)") but it creates the file. Root user can create the file without any error but its a read only one: root@xsmbU1404LinuxVM:/W12R2share# ./a.out attempt to open /W12R2share/file112 success: 3 root@xsmbU1404LinuxVM:/W12R2share# rm -rf /W12R2share/file112 rm: cannot remove ‘/W12R2share/file112’: Input/output error root@xsmbU1404LinuxVM:/W12R2share# ll total 145 drwxrwxrwx 2 root root 40960 Aug 10 12:37 ./ drwxr-xr-x 26 root root 4096 Aug 5 10:31 ../ -rwxrwxrwx 1 root root 8726 Aug 8 17:43 a.out* -rwxrwxrwx 1 root root 239 Aug 5 11:16 open.c* -r-xr-xr-x 1 root root 0 Aug 10 13:16 file112* root@xsmbU1404LinuxVM:/W12R2share#
We've run into this in a project I help maintain: https://github.com/ipfs/go-ipfs/issues/4936 > In the test case I see an attempt to create a file with mode "0" which will in fact create a file which can't be accessed by a non root user, including the creator. Is this what you really want? It is supposed to return access denied when run by non-root According to the open(2) man page, the mode passed to open only applies to *future* file accesses. Calling `open("/W12R2share/file112", O_WRONLY | O_CREAT, 0)` *should* succeed (and does on other filesystems). While opening the file with a 0 mode isn't particularly useful, opening it with, e.g., 0444 can be a useful way to create write-once files. Is this behavior intended?