* NFSv4 client does not allow you to execute a file with no read permission.
@ 2012-07-19 6:44 NeilBrown
0 siblings, 0 replies; 2+ messages in thread
From: NeilBrown @ 2012-07-19 6:44 UTC (permalink / raw)
To: Trond Myklebust; +Cc: Darcy Partridge, NFS
[-- Attachment #1: Type: text/plain, Size: 1501 bytes --]
[resending - with more current address for Trond :-]
If there is a file on the server with permissions --x--x--x,
then if I mount with NFSv3 I (as a non-root user) can run it.
However if I mount with NFSv4 I cannot.
This is with a sufficiently recent server kernel which fixes that server-side
bug that caused a problem with this scenario.
I think the bug was introduced by commit cd9a1c0e5ac68
NFSv4: Clean up nfs4_atomic_open
which added a new call to nfs_may_open.
The problem is that nfs_intent_set_file calls nfs_may_open passing
intent.open.flags which contains O_RDONLY (i.e. 0). This is mapped
to FMODE_READ before being passed to nfs_do_access.
As I don't have read access, the exec fails.
I can "fix it" with
diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
index eedd24d..15a718b 100644
--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -2278,12 +2278,12 @@ static int nfs_open_permission_mask(int openflags)
{
int mask = 0;
- if ((openflags & O_ACCMODE) != O_WRONLY)
- mask |= MAY_READ;
if ((openflags & O_ACCMODE) != O_RDONLY)
mask |= MAY_WRITE;
if (openflags & __FMODE_EXEC)
mask |= MAY_EXEC;
+ else if ((openflags & O_ACCMODE) != O_WRONLY)
+ mask |= MAY_READ;
return mask;
}
so we don't ask for READ permission if we are asking for EXEC permission.
I suspect this may not be the right fix. I'm just presenting it to help
focus on whether the problem seems to be.
Is there a better way to fix this?
Thanks,
NeilBrown
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 828 bytes --]
^ permalink raw reply related [flat|nested] 2+ messages in thread
* NFSv4 client does not allow you to execute a file with no read permission.
@ 2012-05-30 3:04 NeilBrown
0 siblings, 0 replies; 2+ messages in thread
From: NeilBrown @ 2012-05-30 3:04 UTC (permalink / raw)
To: Trond Myklebust; +Cc: Darcy Partridge, NFS
[-- Attachment #1: Type: text/plain, Size: 1445 bytes --]
If there is a file on the server with permissions --x--x--x,
then if I mount with NFSv3 I (as a non-root user) can run it.
However if I mount with NFSv4 I cannot.
This is with a sufficiently recent server kernel which fixes that server-side
bug that caused a problem with this scenario.
I think the bug was introduced by commit cd9a1c0e5ac68
NFSv4: Clean up nfs4_atomic_open
which added a new call to nfs_may_open.
The problem is that nfs_intent_set_file calls nfs_may_open passing
intent.open.flags which contains O_RDONLY (i.e. 0). This is mapped
to FMODE_READ before being passed to nfs_do_access.
As I don't have read access, the exec fails.
I can "fix it" with
diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
index eedd24d..15a718b 100644
--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -2278,12 +2278,12 @@ static int nfs_open_permission_mask(int openflags)
{
int mask = 0;
- if ((openflags & O_ACCMODE) != O_WRONLY)
- mask |= MAY_READ;
if ((openflags & O_ACCMODE) != O_RDONLY)
mask |= MAY_WRITE;
if (openflags & __FMODE_EXEC)
mask |= MAY_EXEC;
+ else if ((openflags & O_ACCMODE) != O_WRONLY)
+ mask |= MAY_READ;
return mask;
}
so we don't ask for READ permission if we are asking for EXEC permission.
I suspect this may not be the right fix. I'm just presenting it to help
focus on whether the problem seems to be.
Is there a better way to fix this?
Thanks,
NeilBrown
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 828 bytes --]
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-07-19 6:44 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-07-19 6:44 NFSv4 client does not allow you to execute a file with no read permission NeilBrown
-- strict thread matches above, loose matches on Subject: below --
2012-05-30 3:04 NeilBrown
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.