From f19d5d1a704fda90743f8ff161ca7174cae2f48f Mon Sep 17 00:00:00 2001 From: Sachin Pandit Date: Tue, 25 Nov 2014 07:20:38 +0530 Subject: USS : fill proper uid and gid during a access call from nfs. Problem : when an user tries to access a file/folder for which he does not have a proper permission required then fuse gives out a proper error "Permission denied", but nfs does not give out that error, rather he can access the file/folder. The reason being uid and gid of call frame stack takes a default value of uid and gid which point to root permission. Solution : Set a proper uid and gid during a access call from nfs Change-Id: Ib060706fde66ec7e60f242fab1f3e59122ed2245 BUG: 1175739 Signed-off-by: Sachin Pandit Reviewed-on: http://review.gluster.org/9194 Reviewed-by: Vijaikumar Mallikarjuna Reviewed-by: Rajesh Joseph Tested-by: Gluster Build System Reviewed-by: Vijay Bellur Signed-off-by: Sachin Pandit Reviewed-on: http://review.gluster.org/9340 Reviewed-by: Raghavendra Bhat --- ...7580-set-proper-uid-and-gid-during-nfs-access.t | 201 +++++++++++++++++++++ 1 file changed, 201 insertions(+) create mode 100644 tests/bugs/bug-1167580-set-proper-uid-and-gid-during-nfs-access.t (limited to 'tests') diff --git a/tests/bugs/bug-1167580-set-proper-uid-and-gid-during-nfs-access.t b/tests/bugs/bug-1167580-set-proper-uid-and-gid-during-nfs-access.t new file mode 100644 index 00000000000..1eb3d55e36c --- /dev/null +++ b/tests/bugs/bug-1167580-set-proper-uid-and-gid-during-nfs-access.t @@ -0,0 +1,201 @@ +#!/bin/bash +. $(dirname $0)/../include.rc +. $(dirname $0)/../nfs.rc +. $(dirname $0)/../volume.rc +. $(dirname $0)/../snapshot.rc + +# This function returns a value "Y" if user can execute +# the given command. Else it will return "N" +# @arg-1 : Name of the user +# @arg-2 : Path of the file +# @arg-3 : command to be executed +function check_if_permitted () { + local usr=$1 + local path=$2 + local cmd=$3 + local var + local ret + var=$(su - $usr -c "$cmd $path") + ret=$? + + if [ "$cmd" == "cat" ] + then + if [ "$var" == "Test" ] + then + echo "Y" + else + echo "N" + fi + else + if [ "$ret" == "0" ] + then + echo "Y" + else + echo "N" + fi + fi +} + +# Create a directory in /tmp to specify which directory to make +# as home directory for user +home_dir=$(cat /dev/urandom | tr -dc 'a-zA-Z' | fold -w 8 | head -n 1) +home_dir="/tmp/bug-1167580-$home_dir" +mkdir $home_dir + +function get_new_user() { + local temp=$(cat /dev/urandom | tr -dc 'a-zA-Z' | fold -w 8 | head -n 1) + id $temp + if [ "$?" == "0" ] + then + get_new_user + else + echo $temp + fi +} + +function create_user() { + local user=$1 + local group=$2 + + if [ "$group" == "" ] + then + useradd -d $home_dir/$user $user + else + useradd -d $home_dir/$user -G $group $user + fi + + return $? +} + +cleanup; + +TEST setup_lvm 1 +TEST glusterd + +TEST $CLI volume create $V0 $H0:$L1 +TEST $CLI volume start $V0 + +# Mount the volume as both fuse and nfs mount +EXPECT_WITHIN $NFS_EXPORT_TIMEOUT "1" is_nfs_export_available +TEST glusterfs -s $H0 --volfile-id $V0 $M0 +TEST mount_nfs $H0:/$V0 $N0 nolock + +# Create 2 user +user1=$(get_new_user) +create_user $user1 +user2=$(get_new_user) +create_user $user2 + +# create a file for which only user1 has access +echo "Test" > $M0/README +chown $user1 $M0/README +chmod 700 $M0/README + +# enable uss and take a snapshot +TEST $CLI volume set $V0 uss enable +TEST $CLI snapshot config activate-on-create on +TEST $CLI snapshot create snap1 $V0 + +# try to access the file using user1 account. +# It should succeed with both normal mount and snapshot world. +# There is time delay in which snapd might not have got the notification +# from glusterd about snapshot create hence using "EXPECT_WITHIN" +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "Y" check_if_permitted $user1 $M0/README cat +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "Y" check_if_permitted $user1 $N0/README cat +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "Y" check_if_permitted $user1 $M0/.snaps/snap1/README cat +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "Y" check_if_permitted $user1 $N0/.snaps/snap1/README cat + + +# try to access the file using user2 account +# It should fail from both normal mount and snapshot world +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user2 $M0/README cat +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user2 $N0/README cat +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user2 $M0/.snaps/snap1/README cat +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user2 $N0/.snaps/snap1/README cat + +# We need to test another scenario where user belonging to one group +# tries to access files from user belonging to another group +# instead of using the already created users and making the test case look complex +# I thought of using two different users. + +# The test case written below does the following things +# 1) Create 2 users (user{3,4}), belonging to 2 different groups (group{3,4}) +# 2) Take a snapshot "snap2" +# 3) Create a file for which only users belonging to group3 have +# permission to read +# 4) Test various combinations of Read-Write, Fuse-NFS mount, User{3,4,5} +# from both normal mount, and USS world. + +echo "Test" > $M0/file3 + +chmod 740 $M0/file3 + +group3=$(get_new_user) +groupadd $group3 + +group4=$(get_new_user) +groupadd $group4 + +user3=$(get_new_user) +create_user $user3 $group3 + +user4=$(get_new_user) +create_user $user4 $group4 + +user5=$(get_new_user) +create_user $user5 + +chgrp $group3 $M0/file3 + +TEST $CLI snapshot create snap2 $V0 + +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "Y" check_if_permitted $user3 $M0/file3 cat +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "Y" check_if_permitted $user3 $M0/.snaps/snap2/file3 cat +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user3 $M0/file3 "echo Hello >" +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user3 $M0/.snaps/snap2/file3 "echo Hello >" +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "Y" check_if_permitted $user3 $N0/file3 cat +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "Y" check_if_permitted $user3 $N0/.snaps/snap2/file3 cat +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user3 $N0/file3 "echo Hello >" +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user3 $N0/.snaps/snap2/file3 "echo Hello >" + + +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user4 $M0/file3 cat +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user4 $M0/.snaps/snap2/file3 cat +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user4 $M0/file3 "echo Hello >" +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user4 $M0/.snaps/snap2/file3 "echo Hello >" +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user4 $N0/file3 cat +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user4 $N0/.snaps/snap2/file3 cat +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user4 $N0/file3 "echo Hello >" +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user4 $N0/.snaps/snap2/file3 "echo Hello >" + +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user5 $M0/file3 cat +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user5 $M0/.snaps/snap2/file3 cat +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user5 $M0/file3 "echo Hello >" +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user5 $M0/.snaps/snap2/file3 "echo Hello >" +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user5 $N0/file3 cat +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user5 $N0/.snaps/snap2/file3 cat +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user5 $N0/file3 "echo Hello >" +EXPECT_WITHIN $PROCESS_UP_TIMEOUT "N" check_if_permitted $user5 $N0/.snaps/snap2/file3 "echo Hello >" + +# cleanup +/usr/sbin/userdel -f -r $user1 +/usr/sbin/userdel -f -r $user2 +/usr/sbin/userdel -f -r $user3 +/usr/sbin/userdel -f -r $user4 +/usr/sbin/userdel -f -r $user5 + +#cleanup all the home directory which is created as part of this test case +if [ -d "$home_dir" ] +then + rm -rf $home_dir +fi + + +groupdel $group3 +groupdel $group4 + +TEST $CLI snapshot delete all + +cleanup; + + -- cgit