Announcing: ZFS-fuse 0.7.0
#39 — Accessing certain files through as normal user causes "Transport Endpoint is not connected"
| State | Resolved |
|---|---|
| Version: | 0.6.0 |
| Area | Functionality |
| Issue type | Bug |
| Severity | Important |
| Submitted by | (anonymous) |
| Submitted on | May 13, 2010 |
| Responsible | Seth Heeren |
| Target release: | 0.7.0 |
Last modified on
Sep 19, 2010
by
Seth Heeren
Firstly, I have already reported this on the Ubuntu bug tracker as at first I thought it was a Nautilus/gvfs issue. Please refer to this for more info: https://bugs.launchpad.net/[…]/573823
The main gist of it is that when accessing certain directories, or files within them, FUSE or zfs-fuse seems to have encounter a problem and causes the error "Transport Endpoint is not connected". At which point I can no longer access the zfs file system.
As noted in the Ubuntu bug, this always happens on the same files/directories, it is completely predictable in that respect. What is not predictable is in what circumstances the error happens. E.g. it always happens when using Nautilus at the point of opening the folder. When using Thunar, I can get into the folder, but it's when I access a file. I had previously thought it was ok when accessing from the command line, but I have now experienced the error when using the command line.
All of the above have only happened when logged in as a normal user. I have still not managed to make the error happen when logged in as root user.
I am willing to provide log files/ perform any tests if necessary, please let me know how I can help.
This zpool was created on an OpenSolaris system
zpool version: 16
fuse version: 2.8.1
The main gist of it is that when accessing certain directories, or files within them, FUSE or zfs-fuse seems to have encounter a problem and causes the error "Transport Endpoint is not connected". At which point I can no longer access the zfs file system.
As noted in the Ubuntu bug, this always happens on the same files/directories, it is completely predictable in that respect. What is not predictable is in what circumstances the error happens. E.g. it always happens when using Nautilus at the point of opening the folder. When using Thunar, I can get into the folder, but it's when I access a file. I had previously thought it was ok when accessing from the command line, but I have now experienced the error when using the command line.
All of the above have only happened when logged in as a normal user. I have still not managed to make the error happen when logged in as root user.
I am willing to provide log files/ perform any tests if necessary, please let me know how I can help.
This zpool was created on an OpenSolaris system
zpool version: 16
fuse version: 2.8.1
- Steps to reproduce:
- browse into a specific folder,
attempt to open a file in it,
program says it can read the file,
the zfs file system is no longer accessible
Added by
Seth Heeren
on
May 14, 2010 06:05 AM
Issue state:
unconfirmed → open
Severity:
Medium → Important
Responsible manager:
(UNASSIGNED) → sgheeren
Your problem is the usage of acls (90% certain). Emmanuel is currently looking for someone to supply a test set as he doesn't currently have an OSol box handy. If you care, you can submit a response to his open request of the other day:
http://groups.google.com/gr[…]p;q=dd+acl#678eb707b70a13ae
Thx for submitting this. PS. the thread mentions a workaround, although I understand you might not be in a position to remove the acls for this purpose.
Seth
http://groups.google.com/gr[…]p;q=dd+acl#678eb707b70a13ae
Thx for submitting this. PS. the thread mentions a workaround, although I understand you might not be in a position to remove the acls for this purpose.
Seth
Added by
(anonymous)
on
May 14, 2010 04:41 PM
Hi, thanks for your response.
I have had a look at Emmanuel's idea for creating a test image. Unfortunately I no longer have OpenSolaris, however I have not run the workaround commands yet, so if you can think of a way of me copying the existing broken folder into the test zpool, I can give it a try (can't use dd to copy a folder at byte level, and using cp apparently doesn't preserve the ACLs)
Regards,
Matt
I have had a look at Emmanuel's idea for creating a test image. Unfortunately I no longer have OpenSolaris, however I have not run the workaround commands yet, so if you can think of a way of me copying the existing broken folder into the test zpool, I can give it a try (can't use dd to copy a folder at byte level, and using cp apparently doesn't preserve the ACLs)
Regards,
Matt
Added by
Seth Heeren
on
May 30, 2010 05:46 AM
Issue state:
open → in-progress
On the linux side:
dd if=/dev/zero bs=1M count=64 of=/tmp/acltest.img
vim /etc/ietd.conf # expose as desktop:acltest
On the solaris side:
pkg install SUNWiscsi
svcadm enable svc:/network/iscsi/initiator:default
iscsiadm add discovery-address 192.168.2.200 # address of desktop machine
iscsiadm modify discovery -t enable
devfsadm -i iscsi
format # observe name of iscsi volume
zpool create acltest /devices/iscsi/disk@0000desktop%3Aacltest0001,0:q
cd /acltest
touch testfile
/usr/bin/chmod A+user:sehe:read_data:allow testfile
mkdir testdir
/usr/bin/chmod A+user:sehe:add_file:allow testdir
/usr/bin/ls -dvx *
Output:
drwxr-xr-x+ 2 root root 2 May 30 11:30 testdir
0:user:sehe:add_file/write_data:allow
1:owner@::deny
2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
3:group@:add_file/write_data/add_subdirectory/append_data:deny
4:group@:list_directory/read_data/execute:allow
5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:deny
6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
-rw-r--r--+ 1 root root 0 May 30 11:21 testfile
0:user:sehe:read_data:allow
1:owner@:execute:deny
2:owner@:read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
3:group@:write_data/append_data/execute:deny
4:group@:read_data:allow
5:everyone@:write_data/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:deny
6:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
:allow
then zpool export acltest, disbale iscsi initiator
On the linux side
$ pbzip2 -k /tmp/acltest.img
Result available here http://downloads.sehe.nl/zfs-fuse/acltest.img.bz2 (41Kb)
Also attached as uuencoded (apt-get install sharutils on debian)
I haven't tested whether this reproduces the issue(s) [yet]......
dd if=/dev/zero bs=1M count=64 of=/tmp/acltest.img
vim /etc/ietd.conf # expose as desktop:acltest
On the solaris side:
pkg install SUNWiscsi
svcadm enable svc:/network/iscsi/initiator:default
iscsiadm add discovery-address 192.168.2.200 # address of desktop machine
iscsiadm modify discovery -t enable
devfsadm -i iscsi
format # observe name of iscsi volume
zpool create acltest /devices/iscsi/disk@0000desktop%3Aacltest0001,0:q
cd /acltest
touch testfile
/usr/bin/chmod A+user:sehe:read_data:allow testfile
mkdir testdir
/usr/bin/chmod A+user:sehe:add_file:allow testdir
/usr/bin/ls -dvx *
Output:
drwxr-xr-x+ 2 root root 2 May 30 11:30 testdir
0:user:sehe:add_file/write_data:allow
1:owner@::deny
2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
3:group@:add_file/write_data/add_subdirectory/append_data:deny
4:group@:list_directory/read_data/execute:allow
5:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:deny
6:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
-rw-r--r--+ 1 root root 0 May 30 11:21 testfile
0:user:sehe:read_data:allow
1:owner@:execute:deny
2:owner@:read_data/write_data/append_data/write_xattr/write_attributes
/write_acl/write_owner:allow
3:group@:write_data/append_data/execute:deny
4:group@:read_data:allow
5:everyone@:write_data/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:deny
6:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
:allow
then zpool export acltest, disbale iscsi initiator
On the linux side
$ pbzip2 -k /tmp/acltest.img
Result available here http://downloads.sehe.nl/zfs-fuse/acltest.img.bz2 (41Kb)
Also attached as uuencoded (apt-get install sharutils on debian)
I haven't tested whether this reproduces the issue(s) [yet]......
acltest.img.bz2.uuencoded
—
Octet Stream,
55Kb
Added by
Seth Heeren
on
May 30, 2010 06:34 AM
sorry
can't reproduce the problem, I changed the files/acls to refer to a (linux-side) nonexistent user (zfssnap, uid 51). This didn't change much
sudo -u sehe tar cv /acltest/ | md5sum
sudo tar cv /acltest/ | md5sum
Using nautilus as a normal user works fine
Even restricting the UNIX permissions did not break tar not nautilus as a normal user:
root@karmic:~# chmod -Rc 0600 /acltest/
mode of `/acltest/' changed to 0600 (rw-------)
mode of `/acltest/testdir' changed to 0600 (rw-------)
mode of `/acltest/testfile' changed to 0600 (rw-------)
root@karmic:~# chmod -c 0700 /acltest/ /acltest/testdir/
mode of `/acltest/' changed to 0700 (rwx------)
mode of `/acltest/testdir/' changed to 0700 (rwx------)
root@karmic:~# find /acltest/ -ls
1 2 drwx------ 3 root root 4 May 30 12:09 /acltest/
6 2 drwx------ 2 root root 2 May 30 11:40 /acltest/testdir
5 1 -rw------- 1 root root 16 May 30 12:09 /acltest/testfile
root@karmic:~# zpool export acltest
root@karmic:~# zpool import -d /tmp -a
root@karmic:~# zpool list
NAME SIZE ALLOC FREE CAP DEDUP HEALTH ALTROOT
acltest 59.5M 140K 59.4M 0% 1.00x ONLINE -
root@karmic:~# sudo -u sehe tar cv /acltest/ | md5sum
tar: Removing leading `/' from member names
tar: /acltest: Cannot open: Permission denied
tar: Exiting with failure status due to previous errors
1276481102f218c981e0324180bafd9f -
I even retested with both
(a) no UNIX permissions at all (besides root:root ownership)
(b) huge acls:
cut -d: -f1 /etc/passwd | xargs -trn1 -iQ /usr/bin/chmod -R A+user:Q:read_data:allow /acltest/testfile /acltest /acltest/testdir
This results in (/usr/bin/ls -rv /acltest|wc -l) = 336:
total 5
----------+ 1 root root 16 May 30 12:09 testfile
0:user:zfssnap:read_data:allow
1:user:zfssnap:read_data:allow
2:user:xvm:read_data:allow
3:user:xvm:read_data:allow
4:user:webservd:read_data:allow
5:user:webservd:read_data:allow
6:user:uucp:read_data:allow
7:user:uucp:read_data:allow
8:user:upnp:read_data:allow
9:user:upnp:read_data:allow
10:user:unknown:read_data:allow
11:user:unknown:read_data:allow
12:user:sys:read_data:allow
13:user:sys:read_data:allow
14:user:svctag:read_data:allow
15:user:svctag:read_data:allow
16:user:smmsp:read_data:allow
17:user:smmsp:read_data:allow
18:user:sehe:read_data:allow
19:user:sehe:read_data:allow
20:user:root:read_data:allow
21:user:root:read_data:allow
22:user:postgres:read_data:allow
23:user:postgres:read_data:allow
24:user:openldap:read_data:allow
25:user:openldap:read_data:allow
26:user:nuucp:read_data:allow
27:user:nuucp:read_data:allow
28:user:nobody4:read_data:allow
29:user:nobody4:read_data:allow
30:user:nobody:read_data:allow
31:user:nobody:read_data:allow
32:user:noaccess:read_data:allow
33:user:noaccess:read_data:allow
34:user:mysql:read_data:allow
35:user:mysql:read_data:allow
36:user:munin:read_data:allow
37:user:munin:read_data:allow
38:user:lp:read_data:allow
39:user:lp:read_data:allow
40:user:listen:read_data:allow
41:user:listen:read_data:allow
42:user:gdm:read_data:allow
43:user:gdm:read_data:allow
44:user:dladm:read_data:allow
45:user:dladm:read_data:allow
46:user:daemon:read_data:allow
47:user:daemon:read_data:allow
48:user:bin:read_data:allow
49:user:bin:read_data:allow
50:user:adm:read_data:allow
51:user:adm:read_data:allow
52:user:zfssnap:read_data:deny
53:user:zfssnap:read_data:allow
54:user:xvm:read_data:deny
55:user:xvm:read_data:allow
56:user:webservd:read_data:deny
57:user:webservd:read_data:allow
58:user:uucp:read_data:deny
59:user:uucp:read_data:allow
60:user:upnp:read_data:deny
61:user:upnp:read_data:allow
62:user:unknown:read_data:deny
63:user:unknown:read_data:allow
64:user:sys:read_data:deny
65:user:sys:read_data:allow
66:user:svctag:read_data:deny
67:user:svctag:read_data:allow
68:user:smmsp:read_data:deny
69:user:smmsp:read_data:allow
70:user:sehe:read_data:deny
71:user:sehe:read_data:allow
72:user:root:read_data:deny
73:user:root:read_data:allow
74:user:postgres:read_data:deny
75:user:postgres:read_data:allow
76:user:openldap:read_data:deny
77:user:openldap:read_data:allow
78:user:nuucp:read_data:deny
79:user:nuucp:read_data:allow
80:user:nobody4:read_data:deny
81:user:nobody4:read_data:allow
82:user:nobody:read_data:deny
83:user:nobody:read_data:allow
84:user:noaccess:read_data:deny
85:user:noaccess:read_data:allow
86:user:mysql:read_data:deny
87:user:mysql:read_data:allow
88:user:munin:read_data:deny
89:user:munin:read_data:allow
90:user:lp:read_data:deny
91:user:lp:read_data:allow
92:user:listen:read_data:deny
93:user:listen:read_data:allow
94:user:gdm:read_data:deny
95:user:gdm:read_data:allow
96:user:dladm:read_data:deny
97:user:dladm:read_data:allow
98:user:daemon:read_data:deny
99:user:daemon:read_data:allow
100:user:bin:read_data:deny
101:user:bin:read_data:allow
102:user:adm:read_data:deny
103:user:adm:read_data:allow
104:user:zfssnap:read_data:deny
105:user:zfssnap:read_data:allow
106:user:xvm:read_data:deny
107:user:xvm:read_data:allow
108:user:webservd:read_data:deny
109:user:webservd:read_data:allow
110:user:uucp:read_data:deny
111:user:uucp:read_data:allow
112:user:upnp:read_data:deny
113:user:upnp:read_data:allow
114:user:unknown:read_data:deny
115:user:unknown:read_data:allow
116:user:sys:read_data:deny
117:user:sys:read_data:allow
118:user:svctag:read_data:deny
119:user:svctag:read_data:allow
120:user:smmsp:read_data:deny
121:user:smmsp:read_data:allow
122:user:sehe:read_data:deny
123:user:sehe:read_data:allow
124:user:root:read_data:deny
125:user:root:read_data:allow
126:user:postgres:read_data:deny
127:user:postgres:read_data:allow
128:user:openldap:read_data:deny
129:user:openldap:read_data:allow
130:user:nuucp:read_data:deny
131:user:nuucp:read_data:allow
132:user:nobody4:read_data:deny
133:user:nobody4:read_data:allow
134:user:nobody:read_data:deny
135:user:nobody:read_data:allow
136:user:noaccess:read_data:deny
137:user:noaccess:read_data:allow
138:user:mysql:read_data:deny
139:user:mysql:read_data:allow
140:user:munin:read_data:deny
141:user:munin:read_data:allow
142:user:lp:read_data:deny
143:user:lp:read_data:allow
144:user:listen:read_data:deny
145:user:listen:read_data:allow
146:user:gdm:read_data:deny
147:user:gdm:read_data:allow
148:user:dladm:read_data:deny
149:user:dladm:read_data:allow
150:user:daemon:read_data:deny
151:user:daemon:read_data:allow
152:user:bin:read_data:deny
153:user:bin:read_data:allow
154:user:adm:read_data:deny
155:user:adm:read_data:allow
156:owner@:read_data/write_data/append_data/execute:deny
157:owner@:write_xattr/write_attributes/write_acl/write_owner:allow
158:group@:read_data/write_data/append_data/execute:deny
159:group@::allow
160:everyone@:read_data/write_data/append_data/write_xattr/execute
/write_attributes/write_acl/write_owner:deny
161:everyone@:read_xattr/read_attributes/read_acl/synchronize:allow
d---------+ 2 root root 2 May 30 11:40 testdir
0:user:zfssnap:list_directory/read_data:allow
1:user:zfssnap:list_directory/read_data:allow
2:user:xvm:list_directory/read_data:allow
3:user:xvm:list_directory/read_data:allow
4:user:webservd:list_directory/read_data:allow
5:user:webservd:list_directory/read_data:allow
6:user:uucp:list_directory/read_data:allow
7:user:uucp:list_directory/read_data:allow
8:user:upnp:list_directory/read_data:allow
9:user:upnp:list_directory/read_data:allow
10:user:unknown:list_directory/read_data:allow
11:user:unknown:list_directory/read_data:allow
12:user:sys:list_directory/read_data:allow
13:user:sys:list_directory/read_data:allow
14:user:svctag:list_directory/read_data:allow
15:user:svctag:list_directory/read_data:allow
16:user:smmsp:list_directory/read_data:allow
17:user:smmsp:list_directory/read_data:allow
18:user:sehe:list_directory/read_data:allow
19:user:sehe:list_directory/read_data:allow
20:user:root:list_directory/read_data:allow
21:user:root:list_directory/read_data:allow
22:user:postgres:list_directory/read_data:allow
23:user:postgres:list_directory/read_data:allow
24:user:openldap:list_directory/read_data:allow
25:user:openldap:list_directory/read_data:allow
26:user:nuucp:list_directory/read_data:allow
27:user:nuucp:list_directory/read_data:allow
28:user:nobody4:list_directory/read_data:allow
29:user:nobody4:list_directory/read_data:allow
30:user:nobody:list_directory/read_data:allow
31:user:nobody:list_directory/read_data:allow
32:user:noaccess:list_directory/read_data:allow
33:user:noaccess:list_directory/read_data:allow
34:user:mysql:list_directory/read_data:allow
35:user:mysql:list_directory/read_data:allow
36:user:munin:list_directory/read_data:allow
37:user:munin:list_directory/read_data:allow
38:user:lp:list_directory/read_data:allow
39:user:lp:list_directory/read_data:allow
40:user:listen:list_directory/read_data:allow
41:user:listen:list_directory/read_data:allow
42:user:gdm:list_directory/read_data:allow
43:user:gdm:list_directory/read_data:allow
44:user:dladm:list_directory/read_data:allow
45:user:dladm:list_directory/read_data:allow
46:user:daemon:list_directory/read_data:allow
47:user:daemon:list_directory/read_data:allow
48:user:bin:list_directory/read_data:allow
49:user:bin:list_directory/read_data:allow
50:user:adm:list_directory/read_data:allow
51:user:adm:list_directory/read_data:allow
52:user:zfssnap:list_directory/read_data:deny
53:user:zfssnap:list_directory/read_data:allow
54:user:xvm:list_directory/read_data:deny
55:user:xvm:list_directory/read_data:allow
56:user:webservd:list_directory/read_data:deny
57:user:webservd:list_directory/read_data:allow
58:user:uucp:list_directory/read_data:deny
59:user:uucp:list_directory/read_data:allow
60:user:upnp:list_directory/read_data:deny
61:user:upnp:list_directory/read_data:allow
62:user:unknown:list_directory/read_data:deny
63:user:unknown:list_directory/read_data:allow
64:user:sys:list_directory/read_data:deny
65:user:sys:list_directory/read_data:allow
66:user:svctag:list_directory/read_data:deny
67:user:svctag:list_directory/read_data:allow
68:user:smmsp:list_directory/read_data:deny
69:user:smmsp:list_directory/read_data:allow
70:user:sehe:list_directory/read_data:deny
71:user:sehe:list_directory/read_data:allow
72:user:root:list_directory/read_data:deny
73:user:root:list_directory/read_data:allow
74:user:postgres:list_directory/read_data:deny
75:user:postgres:list_directory/read_data:allow
76:user:openldap:list_directory/read_data:deny
77:user:openldap:list_directory/read_data:allow
78:user:nuucp:list_directory/read_data:deny
79:user:nuucp:list_directory/read_data:allow
80:user:nobody4:list_directory/read_data:deny
81:user:nobody4:list_directory/read_data:allow
82:user:nobody:list_directory/read_data:deny
83:user:nobody:list_directory/read_data:allow
84:user:noaccess:list_directory/read_data:deny
85:user:noaccess:list_directory/read_data:allow
86:user:mysql:list_directory/read_data:deny
87:user:mysql:list_directory/read_data:allow
88:user:munin:list_directory/read_data:deny
89:user:munin:list_directory/read_data:allow
90:user:lp:list_directory/read_data:deny
91:user:lp:list_directory/read_data:allow
92:user:listen:list_directory/read_data:deny
93:user:listen:list_directory/read_data:allow
94:user:gdm:list_directory/read_data:deny
95:user:gdm:list_directory/read_data:allow
96:user:dladm:list_directory/read_data:deny
97:user:dladm:list_directory/read_data:allow
98:user:daemon:list_directory/read_data:deny
99:user:daemon:list_directory/read_data:allow
100:user:bin:list_directory/read_data:deny
101:user:bin:list_directory/read_data:allow
102:user:adm:list_directory/read_data:deny
103:user:adm:list_directory/read_data:allow
104:user:zfssnap:list_directory/read_data:deny
105:user:zfssnap:list_directory/read_data:allow
106:user:xvm:list_directory/read_data:deny
107:user:xvm:list_directory/read_data:allow
108:user:webservd:list_directory/read_data:deny
109:user:webservd:list_directory/read_data:allow
110:user:uucp:list_directory/read_data:deny
111:user:uucp:list_directory/read_data:allow
112:user:upnp:list_directory/read_data:deny
113:user:upnp:list_directory/read_data:allow
114:user:unknown:list_directory/read_data:deny
115:user:unknown:list_directory/read_data:allow
116:user:sys:list_directory/read_data:deny
117:user:sys:list_directory/read_data:allow
118:user:svctag:list_directory/read_data:deny
119:user:svctag:list_directory/read_data:allow
120:user:smmsp:list_directory/read_data:deny
121:user:smmsp:list_directory/read_data:allow
122:user:sehe:list_directory/read_data:deny
123:user:sehe:list_directory/read_data:allow
124:user:root:list_directory/read_data:deny
125:user:root:list_directory/read_data:allow
126:user:postgres:list_directory/read_data:deny
127:user:postgres:list_directory/read_data:allow
128:user:openldap:list_directory/read_data:deny
129:user:openldap:list_directory/read_data:allow
130:user:nuucp:list_directory/read_data:deny
131:user:nuucp:list_directory/read_data:allow
132:user:nobody4:list_directory/read_data:deny
133:user:nobody4:list_directory/read_data:allow
134:user:nobody:list_directory/read_data:deny
135:user:nobody:list_directory/read_data:allow
136:user:noaccess:list_directory/read_data:deny
137:user:noaccess:list_directory/read_data:allow
138:user:mysql:list_directory/read_data:deny
139:user:mysql:list_directory/read_data:allow
140:user:munin:list_directory/read_data:deny
141:user:munin:list_directory/read_data:allow
142:user:lp:list_directory/read_data:deny
143:user:lp:list_directory/read_data:allow
144:user:listen:list_directory/read_data:deny
145:user:listen:list_directory/read_data:allow
146:user:gdm:list_directory/read_data:deny
147:user:gdm:list_directory/read_data:allow
148:user:dladm:list_directory/read_data:deny
149:user:dladm:list_directory/read_data:allow
150:user:daemon:list_directory/read_data:deny
151:user:daemon:list_directory/read_data:allow
152:user:bin:list_directory/read_data:deny
153:user:bin:list_directory/read_data:allow
154:user:adm:list_directory/read_data:deny
155:user:adm:list_directory/read_data:allow
156:user:zfssnap:add_file/write_data:deny
157:user:zfssnap:add_file/write_data:allow
158:user:sehe:add_file/write_data:deny
159:user:sehe:add_file/write_data:allow
160:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/execute:deny
161:owner@:write_xattr/write_attributes/write_acl/write_owner:allow
162:group@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/execute:deny
163:group@::allow
164:everyone@:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:deny
165:everyone@:read_xattr/read_attributes/read_acl/synchronize:allow
can't reproduce the problem, I changed the files/acls to refer to a (linux-side) nonexistent user (zfssnap, uid 51). This didn't change much
sudo -u sehe tar cv /acltest/ | md5sum
sudo tar cv /acltest/ | md5sum
Using nautilus as a normal user works fine
Even restricting the UNIX permissions did not break tar not nautilus as a normal user:
root@karmic:~# chmod -Rc 0600 /acltest/
mode of `/acltest/' changed to 0600 (rw-------)
mode of `/acltest/testdir' changed to 0600 (rw-------)
mode of `/acltest/testfile' changed to 0600 (rw-------)
root@karmic:~# chmod -c 0700 /acltest/ /acltest/testdir/
mode of `/acltest/' changed to 0700 (rwx------)
mode of `/acltest/testdir/' changed to 0700 (rwx------)
root@karmic:~# find /acltest/ -ls
1 2 drwx------ 3 root root 4 May 30 12:09 /acltest/
6 2 drwx------ 2 root root 2 May 30 11:40 /acltest/testdir
5 1 -rw------- 1 root root 16 May 30 12:09 /acltest/testfile
root@karmic:~# zpool export acltest
root@karmic:~# zpool import -d /tmp -a
root@karmic:~# zpool list
NAME SIZE ALLOC FREE CAP DEDUP HEALTH ALTROOT
acltest 59.5M 140K 59.4M 0% 1.00x ONLINE -
root@karmic:~# sudo -u sehe tar cv /acltest/ | md5sum
tar: Removing leading `/' from member names
tar: /acltest: Cannot open: Permission denied
tar: Exiting with failure status due to previous errors
1276481102f218c981e0324180bafd9f -
I even retested with both
(a) no UNIX permissions at all (besides root:root ownership)
(b) huge acls:
cut -d: -f1 /etc/passwd | xargs -trn1 -iQ /usr/bin/chmod -R A+user:Q:read_data:allow /acltest/testfile /acltest /acltest/testdir
This results in (/usr/bin/ls -rv /acltest|wc -l) = 336:
total 5
----------+ 1 root root 16 May 30 12:09 testfile
0:user:zfssnap:read_data:allow
1:user:zfssnap:read_data:allow
2:user:xvm:read_data:allow
3:user:xvm:read_data:allow
4:user:webservd:read_data:allow
5:user:webservd:read_data:allow
6:user:uucp:read_data:allow
7:user:uucp:read_data:allow
8:user:upnp:read_data:allow
9:user:upnp:read_data:allow
10:user:unknown:read_data:allow
11:user:unknown:read_data:allow
12:user:sys:read_data:allow
13:user:sys:read_data:allow
14:user:svctag:read_data:allow
15:user:svctag:read_data:allow
16:user:smmsp:read_data:allow
17:user:smmsp:read_data:allow
18:user:sehe:read_data:allow
19:user:sehe:read_data:allow
20:user:root:read_data:allow
21:user:root:read_data:allow
22:user:postgres:read_data:allow
23:user:postgres:read_data:allow
24:user:openldap:read_data:allow
25:user:openldap:read_data:allow
26:user:nuucp:read_data:allow
27:user:nuucp:read_data:allow
28:user:nobody4:read_data:allow
29:user:nobody4:read_data:allow
30:user:nobody:read_data:allow
31:user:nobody:read_data:allow
32:user:noaccess:read_data:allow
33:user:noaccess:read_data:allow
34:user:mysql:read_data:allow
35:user:mysql:read_data:allow
36:user:munin:read_data:allow
37:user:munin:read_data:allow
38:user:lp:read_data:allow
39:user:lp:read_data:allow
40:user:listen:read_data:allow
41:user:listen:read_data:allow
42:user:gdm:read_data:allow
43:user:gdm:read_data:allow
44:user:dladm:read_data:allow
45:user:dladm:read_data:allow
46:user:daemon:read_data:allow
47:user:daemon:read_data:allow
48:user:bin:read_data:allow
49:user:bin:read_data:allow
50:user:adm:read_data:allow
51:user:adm:read_data:allow
52:user:zfssnap:read_data:deny
53:user:zfssnap:read_data:allow
54:user:xvm:read_data:deny
55:user:xvm:read_data:allow
56:user:webservd:read_data:deny
57:user:webservd:read_data:allow
58:user:uucp:read_data:deny
59:user:uucp:read_data:allow
60:user:upnp:read_data:deny
61:user:upnp:read_data:allow
62:user:unknown:read_data:deny
63:user:unknown:read_data:allow
64:user:sys:read_data:deny
65:user:sys:read_data:allow
66:user:svctag:read_data:deny
67:user:svctag:read_data:allow
68:user:smmsp:read_data:deny
69:user:smmsp:read_data:allow
70:user:sehe:read_data:deny
71:user:sehe:read_data:allow
72:user:root:read_data:deny
73:user:root:read_data:allow
74:user:postgres:read_data:deny
75:user:postgres:read_data:allow
76:user:openldap:read_data:deny
77:user:openldap:read_data:allow
78:user:nuucp:read_data:deny
79:user:nuucp:read_data:allow
80:user:nobody4:read_data:deny
81:user:nobody4:read_data:allow
82:user:nobody:read_data:deny
83:user:nobody:read_data:allow
84:user:noaccess:read_data:deny
85:user:noaccess:read_data:allow
86:user:mysql:read_data:deny
87:user:mysql:read_data:allow
88:user:munin:read_data:deny
89:user:munin:read_data:allow
90:user:lp:read_data:deny
91:user:lp:read_data:allow
92:user:listen:read_data:deny
93:user:listen:read_data:allow
94:user:gdm:read_data:deny
95:user:gdm:read_data:allow
96:user:dladm:read_data:deny
97:user:dladm:read_data:allow
98:user:daemon:read_data:deny
99:user:daemon:read_data:allow
100:user:bin:read_data:deny
101:user:bin:read_data:allow
102:user:adm:read_data:deny
103:user:adm:read_data:allow
104:user:zfssnap:read_data:deny
105:user:zfssnap:read_data:allow
106:user:xvm:read_data:deny
107:user:xvm:read_data:allow
108:user:webservd:read_data:deny
109:user:webservd:read_data:allow
110:user:uucp:read_data:deny
111:user:uucp:read_data:allow
112:user:upnp:read_data:deny
113:user:upnp:read_data:allow
114:user:unknown:read_data:deny
115:user:unknown:read_data:allow
116:user:sys:read_data:deny
117:user:sys:read_data:allow
118:user:svctag:read_data:deny
119:user:svctag:read_data:allow
120:user:smmsp:read_data:deny
121:user:smmsp:read_data:allow
122:user:sehe:read_data:deny
123:user:sehe:read_data:allow
124:user:root:read_data:deny
125:user:root:read_data:allow
126:user:postgres:read_data:deny
127:user:postgres:read_data:allow
128:user:openldap:read_data:deny
129:user:openldap:read_data:allow
130:user:nuucp:read_data:deny
131:user:nuucp:read_data:allow
132:user:nobody4:read_data:deny
133:user:nobody4:read_data:allow
134:user:nobody:read_data:deny
135:user:nobody:read_data:allow
136:user:noaccess:read_data:deny
137:user:noaccess:read_data:allow
138:user:mysql:read_data:deny
139:user:mysql:read_data:allow
140:user:munin:read_data:deny
141:user:munin:read_data:allow
142:user:lp:read_data:deny
143:user:lp:read_data:allow
144:user:listen:read_data:deny
145:user:listen:read_data:allow
146:user:gdm:read_data:deny
147:user:gdm:read_data:allow
148:user:dladm:read_data:deny
149:user:dladm:read_data:allow
150:user:daemon:read_data:deny
151:user:daemon:read_data:allow
152:user:bin:read_data:deny
153:user:bin:read_data:allow
154:user:adm:read_data:deny
155:user:adm:read_data:allow
156:owner@:read_data/write_data/append_data/execute:deny
157:owner@:write_xattr/write_attributes/write_acl/write_owner:allow
158:group@:read_data/write_data/append_data/execute:deny
159:group@::allow
160:everyone@:read_data/write_data/append_data/write_xattr/execute
/write_attributes/write_acl/write_owner:deny
161:everyone@:read_xattr/read_attributes/read_acl/synchronize:allow
d---------+ 2 root root 2 May 30 11:40 testdir
0:user:zfssnap:list_directory/read_data:allow
1:user:zfssnap:list_directory/read_data:allow
2:user:xvm:list_directory/read_data:allow
3:user:xvm:list_directory/read_data:allow
4:user:webservd:list_directory/read_data:allow
5:user:webservd:list_directory/read_data:allow
6:user:uucp:list_directory/read_data:allow
7:user:uucp:list_directory/read_data:allow
8:user:upnp:list_directory/read_data:allow
9:user:upnp:list_directory/read_data:allow
10:user:unknown:list_directory/read_data:allow
11:user:unknown:list_directory/read_data:allow
12:user:sys:list_directory/read_data:allow
13:user:sys:list_directory/read_data:allow
14:user:svctag:list_directory/read_data:allow
15:user:svctag:list_directory/read_data:allow
16:user:smmsp:list_directory/read_data:allow
17:user:smmsp:list_directory/read_data:allow
18:user:sehe:list_directory/read_data:allow
19:user:sehe:list_directory/read_data:allow
20:user:root:list_directory/read_data:allow
21:user:root:list_directory/read_data:allow
22:user:postgres:list_directory/read_data:allow
23:user:postgres:list_directory/read_data:allow
24:user:openldap:list_directory/read_data:allow
25:user:openldap:list_directory/read_data:allow
26:user:nuucp:list_directory/read_data:allow
27:user:nuucp:list_directory/read_data:allow
28:user:nobody4:list_directory/read_data:allow
29:user:nobody4:list_directory/read_data:allow
30:user:nobody:list_directory/read_data:allow
31:user:nobody:list_directory/read_data:allow
32:user:noaccess:list_directory/read_data:allow
33:user:noaccess:list_directory/read_data:allow
34:user:mysql:list_directory/read_data:allow
35:user:mysql:list_directory/read_data:allow
36:user:munin:list_directory/read_data:allow
37:user:munin:list_directory/read_data:allow
38:user:lp:list_directory/read_data:allow
39:user:lp:list_directory/read_data:allow
40:user:listen:list_directory/read_data:allow
41:user:listen:list_directory/read_data:allow
42:user:gdm:list_directory/read_data:allow
43:user:gdm:list_directory/read_data:allow
44:user:dladm:list_directory/read_data:allow
45:user:dladm:list_directory/read_data:allow
46:user:daemon:list_directory/read_data:allow
47:user:daemon:list_directory/read_data:allow
48:user:bin:list_directory/read_data:allow
49:user:bin:list_directory/read_data:allow
50:user:adm:list_directory/read_data:allow
51:user:adm:list_directory/read_data:allow
52:user:zfssnap:list_directory/read_data:deny
53:user:zfssnap:list_directory/read_data:allow
54:user:xvm:list_directory/read_data:deny
55:user:xvm:list_directory/read_data:allow
56:user:webservd:list_directory/read_data:deny
57:user:webservd:list_directory/read_data:allow
58:user:uucp:list_directory/read_data:deny
59:user:uucp:list_directory/read_data:allow
60:user:upnp:list_directory/read_data:deny
61:user:upnp:list_directory/read_data:allow
62:user:unknown:list_directory/read_data:deny
63:user:unknown:list_directory/read_data:allow
64:user:sys:list_directory/read_data:deny
65:user:sys:list_directory/read_data:allow
66:user:svctag:list_directory/read_data:deny
67:user:svctag:list_directory/read_data:allow
68:user:smmsp:list_directory/read_data:deny
69:user:smmsp:list_directory/read_data:allow
70:user:sehe:list_directory/read_data:deny
71:user:sehe:list_directory/read_data:allow
72:user:root:list_directory/read_data:deny
73:user:root:list_directory/read_data:allow
74:user:postgres:list_directory/read_data:deny
75:user:postgres:list_directory/read_data:allow
76:user:openldap:list_directory/read_data:deny
77:user:openldap:list_directory/read_data:allow
78:user:nuucp:list_directory/read_data:deny
79:user:nuucp:list_directory/read_data:allow
80:user:nobody4:list_directory/read_data:deny
81:user:nobody4:list_directory/read_data:allow
82:user:nobody:list_directory/read_data:deny
83:user:nobody:list_directory/read_data:allow
84:user:noaccess:list_directory/read_data:deny
85:user:noaccess:list_directory/read_data:allow
86:user:mysql:list_directory/read_data:deny
87:user:mysql:list_directory/read_data:allow
88:user:munin:list_directory/read_data:deny
89:user:munin:list_directory/read_data:allow
90:user:lp:list_directory/read_data:deny
91:user:lp:list_directory/read_data:allow
92:user:listen:list_directory/read_data:deny
93:user:listen:list_directory/read_data:allow
94:user:gdm:list_directory/read_data:deny
95:user:gdm:list_directory/read_data:allow
96:user:dladm:list_directory/read_data:deny
97:user:dladm:list_directory/read_data:allow
98:user:daemon:list_directory/read_data:deny
99:user:daemon:list_directory/read_data:allow
100:user:bin:list_directory/read_data:deny
101:user:bin:list_directory/read_data:allow
102:user:adm:list_directory/read_data:deny
103:user:adm:list_directory/read_data:allow
104:user:zfssnap:list_directory/read_data:deny
105:user:zfssnap:list_directory/read_data:allow
106:user:xvm:list_directory/read_data:deny
107:user:xvm:list_directory/read_data:allow
108:user:webservd:list_directory/read_data:deny
109:user:webservd:list_directory/read_data:allow
110:user:uucp:list_directory/read_data:deny
111:user:uucp:list_directory/read_data:allow
112:user:upnp:list_directory/read_data:deny
113:user:upnp:list_directory/read_data:allow
114:user:unknown:list_directory/read_data:deny
115:user:unknown:list_directory/read_data:allow
116:user:sys:list_directory/read_data:deny
117:user:sys:list_directory/read_data:allow
118:user:svctag:list_directory/read_data:deny
119:user:svctag:list_directory/read_data:allow
120:user:smmsp:list_directory/read_data:deny
121:user:smmsp:list_directory/read_data:allow
122:user:sehe:list_directory/read_data:deny
123:user:sehe:list_directory/read_data:allow
124:user:root:list_directory/read_data:deny
125:user:root:list_directory/read_data:allow
126:user:postgres:list_directory/read_data:deny
127:user:postgres:list_directory/read_data:allow
128:user:openldap:list_directory/read_data:deny
129:user:openldap:list_directory/read_data:allow
130:user:nuucp:list_directory/read_data:deny
131:user:nuucp:list_directory/read_data:allow
132:user:nobody4:list_directory/read_data:deny
133:user:nobody4:list_directory/read_data:allow
134:user:nobody:list_directory/read_data:deny
135:user:nobody:list_directory/read_data:allow
136:user:noaccess:list_directory/read_data:deny
137:user:noaccess:list_directory/read_data:allow
138:user:mysql:list_directory/read_data:deny
139:user:mysql:list_directory/read_data:allow
140:user:munin:list_directory/read_data:deny
141:user:munin:list_directory/read_data:allow
142:user:lp:list_directory/read_data:deny
143:user:lp:list_directory/read_data:allow
144:user:listen:list_directory/read_data:deny
145:user:listen:list_directory/read_data:allow
146:user:gdm:list_directory/read_data:deny
147:user:gdm:list_directory/read_data:allow
148:user:dladm:list_directory/read_data:deny
149:user:dladm:list_directory/read_data:allow
150:user:daemon:list_directory/read_data:deny
151:user:daemon:list_directory/read_data:allow
152:user:bin:list_directory/read_data:deny
153:user:bin:list_directory/read_data:allow
154:user:adm:list_directory/read_data:deny
155:user:adm:list_directory/read_data:allow
156:user:zfssnap:add_file/write_data:deny
157:user:zfssnap:add_file/write_data:allow
158:user:sehe:add_file/write_data:deny
159:user:sehe:add_file/write_data:allow
160:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/execute:deny
161:owner@:write_xattr/write_attributes/write_acl/write_owner:allow
162:group@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/execute:deny
163:group@::allow
164:everyone@:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:deny
165:everyone@:read_xattr/read_attributes/read_acl/synchronize:allow
Added by
Seth Heeren
on
May 30, 2010 06:36 AM
More details:
I forgot to mention that I also retested with 0.6.0 (tagged release). No problem
Also, for completeness, these were the UNIX perms on the most restrictive and 'complicated' (last) test scenario:
root@bbs2:~# find /acltest/ -ls
3 2 d--------- 3 root root 4 May 30 12:09 /acltest/
6 2 d--------- 2 root root 2 May 30 11:40 /acltest/testdir
5 1 ---------- 1 root root 16 May 30 12:09 /acltest/testfile
Here is an image of the most complicated (last) pool I tested with:
http://downloads.sehe.nl/[…]/acltest_morecomplicated.img.bz2
I forgot to mention that I also retested with 0.6.0 (tagged release). No problem
Also, for completeness, these were the UNIX perms on the most restrictive and 'complicated' (last) test scenario:
root@bbs2:~# find /acltest/ -ls
3 2 d--------- 3 root root 4 May 30 12:09 /acltest/
6 2 d--------- 2 root root 2 May 30 11:40 /acltest/testdir
5 1 ---------- 1 root root 16 May 30 12:09 /acltest/testfile
Here is an image of the most complicated (last) pool I tested with:
http://downloads.sehe.nl/[…]/acltest_morecomplicated.img.bz2
acltest_morecomplicated.img.bz2.uuencoded
—
Octet Stream,
336Kb
Added by
Seth Heeren
on
Sep 19, 2010 05:43 PM
Issue state:
in-progress → resolved
Target release:
None → 0.7.0
Closing due to fixed by Eric Astor in issue #71
