[Bugs] [Bug 1514363] New: Glusterfs client file access permission control incorrect

bugzilla at redhat.com bugzilla at redhat.com
Fri Nov 17 08:44:38 UTC 2017 

https://bugzilla.redhat.com/show_bug.cgi?id=1514363

            Bug ID: 1514363
           Summary: Glusterfs client file access permission control
                    incorrect
           Product: GlusterFS
           Version: 3.10
         Component: io-cache
          Severity: high
          Assignee: bugs at gluster.org
          Reporter: congxueyang at gmail.com
                CC: bugs at gluster.org



Created attachment 1354046
  --> https://bugzilla.redhat.com/attachment.cgi?id=1354046&action=edit
step by step guide for this problem

Description of problem:
glusterfs client point file 

Version-Release number of selected component (if applicable):


How reproducible:

Env description
3 nodes sn-0/1/2 take as glusterfs server node.
creaate a 2 way replicate volume export and mount the volume from another
glusterfs client node mn-0.
[root at sn-0:/root]
# gluster pool list
UUID                    Hostname    State
55183779-2af2-4693-bf8b-f60aecc72bf2    sn-1.local  Connected 
9acb143b-cc90-4e06-9870-1187272a8dfc    sn-2.local  Connected 
1404829b-a823-4911-baa0-9768e534de90    localhost   Connected 
[root at sn-0:/root]
# gluster peer status 
Number of Peers: 2

Hostname: sn-1.local
Uuid: 55183779-2af2-4693-bf8b-f60aecc72bf2
State: Peer in Cluster (Connected)

Hostname: sn-2.local
Uuid: 9acb143b-cc90-4e06-9870-1187272a8dfc
State: Peer in Cluster (Connected)
[root at sn-0:/root]
# gluster v info export 

Volume Name: export
Type: Replicate
Volume ID: 4d6e0035-41b1-4989-939a-1f5e800f738f
Status: Started
Snapshot Count: 0
Number of Bricks: 1 x 2 = 2
Transport-type: tcp
Bricks:
Brick1: sn-0.local:/mnt/bricks/export/brick
Brick2: sn-1.local:/mnt/bricks/export/brick
Options Reconfigured:
network.ping-timeout: 42
server.allow-insecure: on
cluster.consistent-metadata: on
cluster.server-quorum-type: server
transport.address-family: inet
nfs.disable: on
cluster.server-quorum-ratio: 51%
[root at sn-0:/root]
# gluster v status export
Status of volume: export
Gluster process                             TCP Port  RDMA Port  Online  Pid
------------------------------------------------------------------------------
Brick sn-0.local:/mnt/bricks/export/brick   49156     0          Y       7493 
Brick sn-1.local:/mnt/bricks/export/brick   49156     0          Y       6574 
Self-heal Daemon on localhost               N/A       N/A        Y       10048
Self-heal Daemon on sn-1.local              N/A       N/A        Y       8682 
Self-heal Daemon on sn-2.local              N/A       N/A        Y       8540 

Task Status of Volume export
------------------------------------------------------------------------------
There are no active volume tasks
Step by step guide
Pre condition
user robot is a normal user

robot:x:10000:0:Robot user for test automation purposes:/home/robot:/bin/bash

/mnt/export is the mount point

[robot at mn-0:/home/robot]
$ findmnt |grep export |grep -v tmp
├─/mnt/export                    sn-0.local:/export                            
            fuse.glusterfs
rw,relatime,user_id=0,group_id=0,allow_other,max_read=131072
create directory in /mnt/export named test and robot user don't have permission
to access it.
[robot at mn-0:/home/robot]
$ stat /mnt/export/test
stat: cannot stat '/mnt/export/test': Permission denied
[robot at mn-0:/home/robot]
$ sudo stat /mnt/export/test
  File: /mnt/export/test
  Size: 4096        Blocks: 8          IO Block: 131072 directory
Device: 25h/37d Inode: 10834584126020128969  Links: 2
Access: (2755/drwxr-sr-x)  Uid: (    0/    root)   Gid: ( 
615/_nokfsuifileshare)
Access: 2017-11-17 09:52:37.737000000 +0200
Modify: 2017-11-17 09:53:57.183000000 +0200
Change: 2017-11-17 09:53:57.183000000 +0200
 Birth: -

Steps to Reproduce:

1. use sudo "dd if=/dev/zero of=/mnt/export/test/testfile bs=4K count=1 ;"
create a file
2. ls the file as root user, then use robot user to ls the file

sudo ls -l /mnt/export/test/testfile &&  ls -l /mnt/export/test/testfile 

Actual results:
the first and second ls are return success

[robot at mn-0:/home/robot]
$ sudo ls -l /mnt/export/test/testfile &&  ls -l /mnt/export/test/testfile 
-rw-r--r-- 1 root _nokfsuifileshare 4096 Nov 17 09:53 /mnt/export/test/testfile
-rw-r--r-- 1 root _nokfsuifileshare 4096 Nov 17 09:53 /mnt/export/test/testfile

Expected results:
the second ls should return Permission denied.

Additional info:
after sleep 1 seconds or drop cache, the second ls will return fail.

[robot at mn-0:/home/robot]
$ sudo ls -l /mnt/export/test/testfile && sleep 1 && ls -l
/mnt/export/test/testfile
-rw-r--r-- 1 root _nokfsuifileshare 4096 Nov 17 09:53 /mnt/export/test/testfile
ls: cannot access '/mnt/export/test/testfile': Permission denied
[robot at mn-0:/home/robot]
$ sudo ls -l /mnt/export/test/testfile && sleep 1 && ls -l
/mnt/export/test/testfile
-rw-r--r-- 1 root _nokfsuifileshare 4096 Nov 17 09:53 /mnt/export/test/testfile
ls: cannot access '/mnt/export/test/testfile': Permission denied
[robot at mn-0:/home/robot]
$ sudo ls -l /mnt/export/test/testfile && sudo bash -c " echo 3 >
/proc/sys/vm/drop_caches " && ls -l /mnt/export/test/testfile
-rw-r--r-- 1 root _nokfsuifileshare 4096 Nov 17 09:53 /mnt/export/test/testfile
ls: cannot access '/mnt/export/test/testfile': Permission denied

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.

More information about the Bugs mailing list