As is altogether far too common an occurance, we were having a problem where a file was not inheriting the correct ACL, but rather a horribly munged one resulting in incorrect permissions and security problems.
It appeared something was chmod'ing the file after creation, but despite best efforts we simply could not find the culprit. After much investigation, we determined the ACL was only broken when the open specified O_EXCL. Upon submitting this issue to support for resolution, we were informed this was a known problem, specifically CR#6215088. Due to a deficiency in the NFS protocol, exclusive opens are split into an open and a setattr, effectively chmod'ing the file upon creation. This bug was opened in January *2005* against Solaris 9 and presumably ufs ACL's. Still broken for ZFS ACL's almost 6 years later. Understandably, the underlying issue is with the protocol; but still you'd think 6 years would be enough time to implement a reasonable workaround. They didn't fix this in the NFS 4 spec (why?), but there's some hope on the distant horizon, the NFS 4.1 spec introduces the EXCLUSIVE4_1 create which will allow an exclusive create to be done atomically rather than as two separate operations. Of course, Solaris would need to support NFS 4.1 (no timeline available) and all clients of interest would need to do so as well (again no timeline available), but that's not likely to be of much help anytime soon. As far as fixing the issue now? Last word from support was: "Provide me with a detailed justification on why Oracle needs to fix this current bug. Please include a monetary value on how this impacts your company." I guess fixing it because it's *broken* just isn't good enough. I guess fixing it because it's a *security vulnerability that can result in restricted files being world readable* just isn't good enough either. According to our ISO, a breach of confidential student data that triggered the California notification law would cost us anywhere from half a million to a million dollars, so I guess I'll start with that number and see what they say. I doubt if the lawyers would let me, but if that scenario occurred I'd do my damndest to include "This notification brought to you courtesy of poor Oracle software security" in the letter ;)... -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | hen...@csupomona.edu California State Polytechnic University | Pomona CA 91768 _______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
