GPFS enforces the NFSv4 permissions, including denying *stat calls when the READ_ATTR permission is not present (unless the stat data is already cached on the node). There is a fallback codepath to reissue a failed stat call under CAP_DAC_OVERRIDE. That has two problems. It requires additional permissions on the parent directory and it does not cover failed fstat/fstatat calls. Both issues will be addressed here.
This bug was referenced in samba master: b317622a8fed0ee195ffe40129eb5bcad28dd985 95319351e37b8b968b798eee66c93852d9ad2d81 cbdc16a7cfa225d1cf9109fafe85e9d14729700e 963fc353e70b940f4009ca2764e966682400e2dc
Created attachment 18179 [details] patches for 4.19
Created attachment 18180 [details] patches for 4.18
Reassigning to Jule for inclusion in 4.18 and 4.19.
this is a generic issue for all filesystems that implement NFS4 ACL permissions and this should ideally be fixed in generic code.
(In reply to Björn Jacke from comment #5) > this is a generic issue for all filesystems that implement NFS4 ACL > permissions and this should ideally be fixed in generic code. Yes, if other file systems with NFSv4 ACLs run into the same issue, and the same fix is required, this code should be made more common. Maybe the code could be moved to nfs4_acls.c and the VFS modules requiring it could then call the functions there. But for any file system, we should show that it can hit this problem. What is the scope these days? There is: - GPFS on AIX, but Samba usage is not common there. - JFS2 on AIX. - ZFS on FreeBSD (ZFS on Linux does not have NFSv4 ACLs AFAIR) Maybe this discussion should be continued on samba-technical. When another fix is required, that can be processed through another bugzilla.
another problem I see: AT_EMPTY_PATH is not available on all systems, AIX, where the gpfs module is also uses, lacks AT_EMPTY_PATH
(In reply to Christof Schmitt from comment #6) as the patch and the backports are brought up here in bugzilla, this is the place where objections should be raised, too.
(In reply to Björn Jacke from comment #7) > another problem I see: AT_EMPTY_PATH is not available on all systems, AIX, > where the gpfs module is also uses, lacks AT_EMPTY_PATH I missed that (see my earlier comment, Samba with GPFS on AIX is not common). The goal was to only have the elevated privileges in one place through fstatat. Looks like we need to still have a separate codepath for fstat.
(In reply to Christof Schmitt from comment #6) regarding waiting for bug reports for other filesystems implementing NFS4 ACL - I linked already bug 15093, which shows the same problem for JFS2. And also we don't have to wait for ZFS users fileing bug reports to fix the same problem for them. This is a generic issue which needs the same handling as the stat vs. read permission issue is working this way as designed for all NFS4 ACL implementations. We had generic NFS4 ACL fixes in custom vfs modules too often in the past already.
See https://gitlab.com/samba-team/samba/-/merge_requests/3376 for a proposal to make this more generic. Note that i did not test the changes for the AIX or ZFS modules.
This bug was referenced in samba master: 05f1ee1ae2d8439af0ac9baf64ebba1a3374ea83 316c96ea83a7b70d35879e4743193bb1e9cb566c 6b1e066c4f354f297fbf99ad93acfaf44e3b89cb f8a23d960e02f783119c2aef38a6e293ee548df3 f9301871c61b066c1ea464e6e9109bb2cde71598 2c1195678d34516744ba4f8b1c5582f4046cba35 5fd73e93af9d015c9e65a6d4d16229476a541cfc 8831eeca1d70c909e15c86c8af6a7b1d7b0d3b5b 0f664f016207894e0a156b9e1f4db7677c264205 bffd8bd8c32fea738824b807eb9e5f97a609493e 9cac91542128888bde79391ca99291a76752f334 12e5c15a97b45aa01fc3f4274f8ba9cf7d1ddbe9
Created attachment 18185 [details] patches for 4.19 v2
Created attachment 18186 [details] patches for 4.18 v2
Please see the patch backports for review.
Pushed to autobuild-v4-{19,18}-test.
This bug was referenced in samba v4-18-test: 71bf59691f54348dc4125989ac51a9c47ff80d43 ddef013da21baac182250e37bf65a5abb9834e6c fedb492e8686318920244187bb796985a71c3c3d 619eb761344c8473042136555c7d85a76cd84b05 f00db2a13b71c9cc4915385eb095ca865afdceef 53e4d90dbd1cd1ca09902e683f26e96150e08e21 776091ad50f06e8f53fc40f9b105dd6726770ffb cf8f5bdf9563066e4b82ff20d8217bdba705ace7 8ca3c4839fea0fc8985cc2d3af7802b6e954e2b5 790363f076f7adc7ae5a6a936715b71c60084ad7 3241127482dd8cbe6211ab4bd4bd865d98ee99e3 6090ebfa5c14c777e3f6e4519bef244d1992f598 f9d4855b1ac35eba4bd9f9de7d3cc0248dae0885 11523b490c5f8eee5cd9e7faa1c348f71675623f 66259b50c1705069d986bf398901cd32f21cb8f8 be0b6c4b807d196b9ebce0e26f60be31063e352c
This bug was referenced in samba v4-19-test: 982490858957956c2213f37806a8cec70e01df00 9043b07bd2dfbe0ffeab91906c3ca8d6a8e06916 14bb93a446025adf70af741a6f46e3fbb8728467 26d47c66354ac390f67e6c6c99397d0e9cafcbf2 cc0416f19b2dfdf95d8998ad1d645842e93c6082 18373c5d3951c2bc0e46f81e053d69cc33e80b56 dd266ff243a199598b7f4022beb7853cb7027e32 af89e07cb65838c04ce48544d59bfd2906730650 ac17e86baf0598c0b66c75eb9643ac5b459a2883 119586b19260b338d20c4f2caeb71717d16eeb20 5998e68d3e48e077c644c5ec3c597499d737f692 482e205dfd6adfb3341ae68b756a3a8830ae72a4 5f157b23b9f9df9638051bffd20d9f08e1151f77 ada585b6c52f5ef8321980442770c9b09e42582a f4d8a3393e7939aff50d55e27e9df22cc93d085f 5897f213e11a8b63214547b026c364e3439c236a
Closing out bug report. Thanks!
This bug was referenced in samba v4-19-stable (Release samba-4.19.3): 982490858957956c2213f37806a8cec70e01df00 9043b07bd2dfbe0ffeab91906c3ca8d6a8e06916 14bb93a446025adf70af741a6f46e3fbb8728467 26d47c66354ac390f67e6c6c99397d0e9cafcbf2 cc0416f19b2dfdf95d8998ad1d645842e93c6082 18373c5d3951c2bc0e46f81e053d69cc33e80b56 dd266ff243a199598b7f4022beb7853cb7027e32 af89e07cb65838c04ce48544d59bfd2906730650 ac17e86baf0598c0b66c75eb9643ac5b459a2883 119586b19260b338d20c4f2caeb71717d16eeb20 5998e68d3e48e077c644c5ec3c597499d737f692 482e205dfd6adfb3341ae68b756a3a8830ae72a4 5f157b23b9f9df9638051bffd20d9f08e1151f77 ada585b6c52f5ef8321980442770c9b09e42582a f4d8a3393e7939aff50d55e27e9df22cc93d085f 5897f213e11a8b63214547b026c364e3439c236a
This bug was referenced in samba v4-18-stable (Release samba-4.18.9): 71bf59691f54348dc4125989ac51a9c47ff80d43 ddef013da21baac182250e37bf65a5abb9834e6c fedb492e8686318920244187bb796985a71c3c3d 619eb761344c8473042136555c7d85a76cd84b05 f00db2a13b71c9cc4915385eb095ca865afdceef 53e4d90dbd1cd1ca09902e683f26e96150e08e21 776091ad50f06e8f53fc40f9b105dd6726770ffb cf8f5bdf9563066e4b82ff20d8217bdba705ace7 8ca3c4839fea0fc8985cc2d3af7802b6e954e2b5 790363f076f7adc7ae5a6a936715b71c60084ad7 3241127482dd8cbe6211ab4bd4bd865d98ee99e3 6090ebfa5c14c777e3f6e4519bef244d1992f598 f9d4855b1ac35eba4bd9f9de7d3cc0248dae0885 11523b490c5f8eee5cd9e7faa1c348f71675623f 66259b50c1705069d986bf398901cd32f21cb8f8 be0b6c4b807d196b9ebce0e26f60be31063e352c