FAQ SearchLogin
Tuxera Home
View unanswered posts | View active topics It is currently Thu May 13, 2021 20:16



Post new topic Reply to topic  [ 11 posts ] 
getfattr on non-root symlinks is denied 
Author Message

Joined: Mon Jul 09, 2012 01:00
Posts: 7
Post getfattr on non-root symlinks is denied
Steps to reproduce:

1. Create (mkntfs) an NTFS filesystem, and mount with usermapping=..., mapping being, e.g.:

::S-1-5-21-3141592653-589793238-462643383-10000

2. Create a symlink on the filesystem as regular user (not root)

3. "getfattr -h symlink" as regular user -> "Permission denied"

The above means that, for instance, "rsync -X" fails when executed by regular user.

Thanks!


Mon Jul 09, 2012 01:08
Profile WWW
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: getfattr on non-root symlinks is denied
Hi,

Quote:
"getfattr -h symlink" as regular user -> "Permission denied"

You cannot set user-type extended attributes on a symlink, hence you cannot retrieve them :

On ext3 :
Code:
[linux@pavilion2 ntfs-3g]$ ln -s err symlink
[linux@pavilion2 ntfs-3g]$ ls -l symlink err
-rw-rw-r-- 1 linux linux 0 Feb 29 18:39 err
lrwxrwxrwx 1 linux linux 3 Jul  9 08:36 symlink -> err
[linux@pavilion2 ntfs-3g]$ setfattr -h -n user.color -v blue symlink
setfattr: symlink: Operation not permitted
[linux@pavilion2 ntfs-3g]$ getfattr -h -n user.color symlink
symlink: user.color: No such attribute

On ntfs :
Code:
[linux@pavilion2 c-src]$ ln -s err symlink
[linux@pavilion2 c-src]$ ls -l symlink err
-rw-r--r-- 1 linux linux 370 Jun 21 15:50 err
lrwxrwxrwx 1 linux linux  14 Jul  9 08:30 symlink -> err
[linux@pavilion2 c-src]$ setfattr -h -n user.color -v blue symlink
setfattr: symlink: Operation not permitted
[linux@pavilion2 c-src]$ getfattr -h -n user.color symlink
symlink: user.color: No such attribute

If you got "permission denied", you were probably querying a non user-type extended attribute, and specific rules apply.
Quote:
The above means that, for instance, "rsync -X" fails when executed by regular user

AFAIK rsync -X only copies user-type extended attributes.

Regards

Jean-Pierre


Mon Jul 09, 2012 08:50
Profile

Joined: Mon Jul 09, 2012 01:00
Posts: 7
Post Re: getfattr on non-root symlinks is denied
However, on ext3:

Code:
> getfattr -h symlink
>

whereas on ntfs (mounted with a usermapping):

Code:
> getfattr -h symlink
getfattr: symlink: permission denied
> rsync -aX . /tmp/test
rsync: get_xattr_names: llistxattr(""/tmp/mnt2/./symlink"",1024) failed: Permission denied (13)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1052) [sender=3.0.9]
> echo $?
23
> ls /tmp/test/
err


The error returned by ntfs-3g (if any) should probably be "Operation not supported", not "Permission denied".


Mon Jul 09, 2012 13:15
Profile WWW
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: getfattr on non-root symlinks is denied
Hi,

Quote:
The error returned by ntfs-3g (if any) should probably be "Operation not supported", not "Permission denied".

Which kernel (and ntfs-3g) versions are you using ? There have been bugs related to this in the past, for example : https://bugzilla.redhat.com/show_bug.cgi?id=660613

Regards

Jean-Pierre


Mon Jul 09, 2012 14:18
Profile

Joined: Mon Jul 09, 2012 01:00
Posts: 7
Post Re: getfattr on non-root symlinks is denied
I am using ntfs-3g 2012.1.15, and Gentoo Hardened kernel 3.2.11. Are you unable to reproduce the bug? Try running "getfattr -h" on the symlink in your example, as non-root user.


Mon Jul 09, 2012 14:42
Profile WWW
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: getfattr on non-root symlinks is denied
Hi,

Quote:
Are you unable to reproduce the bug?

Yes.
Quote:
Try running "getfattr -h" on the symlink in your example, as non-root user.

The examples I showed were obviously done as user "linux". You can differentiate ntfs from ext3 from the size of symlink (on ext3 it is the target path length, on ntfs a prefix of about 10 bytes plus alignment has to be added).

I have retried with the symlink being created by root, but queried as a user : same result (notice "getfattr -h -d", which is the command-line variant of llistxattr(2) used by rsync).
Code:
[linux@dimension acls]$ ls -l symlink
lrwxrwxrwx 1 root root 14 Jul  9 17:17 symlink -> err
[linux@dimension acls]$ setfattr -h -n user.color -v blue symlink
setfattr: symlink: Operation not permitted
[linux@dimension acls]$ getfattr -h -n user.color symlink
symlink: user.color: No such attribute
[linux@dimension acls]$ getfattr -h -d symlink
[linux@dimension acls]$

What kind of symlink is yours ? if this is a symlink to a file or directory which the user cannot access, the bug in libattr may have come back (see the link posted earlier). What is your libattr version (I am using 2.4.44) ? Can you retry the same commands I did, both on ext3 and on ntfs ?

Regards

Jean-Pierre


Mon Jul 09, 2012 17:34
Profile

Joined: Mon Jul 09, 2012 01:00
Posts: 7
Post Re: getfattr on non-root symlinks is denied
Quote:
What kind of symlink is yours ? if this is a symlink to a file or directory which the user cannot access, the bug in libattr may have come back (see the link posted earlier).


It's unlikely the same bug, since removing the "-h" switch inhibits the error. Please see below for the exact permissions.

Quote:
What is your libattr version (I am using 2.4.44) ?


I am using attr-2.4.46 in Gentoo.

Quote:
Can you retry the same commands I did, both on ext3 and on ntfs ?


Sure. Partitions are created as follows:

Code:
truncate -s 3M /tmp/img.ntfs
losetup /dev/loop2 /tmp/img.ntfs
mkntfs /dev/loop2
mkdir /tmp/mnt.ntfs
echo "::S-1-5-21-2984658991-3481575564-650048683-10000" > /etc/ntfs-3g.map
mount -t ntfs-3g -o usermapping=/etc/ntfs-3g.map /dev/loop2 /tmp/mnt.ntfs
chmod 1777 /tmp/mnt.ntfs


Code:
truncate -s 3M /tmp/img.ext3
losetup /dev/loop3 /tmp/img.ext3
mkfs.ext3 /dev/loop3
mkdir /tmp/mnt.ext3
mount -t ext3 -o user_xattr /dev/loop3 /tmp/mnt.ext3
chmod 1777 /tmp/mnt.ext3


Then, as regular user:

Code:
/tmp/mnt.ntfs $ umask 022
/tmp/mnt.ntfs $ touch err
/tmp/mnt.ntfs $ ln -s err symlink
/tmp/mnt.ntfs $ ls -l
total 1
-rw-r--r-- 1 user group  0 Jul  9 17:17 err
lrwxrwxrwx 1 user group 14 Jul  9 17:17 symlink -> err
/tmp/mnt.ntfs $ setfattr -h -n user.color -v blue symlink
setfattr: symlink: Operation not permitted
/tmp/mnt.ntfs $ getfattr -h -n user.color symlink
symlink: user.color: No such attribute
/tmp/mnt.ntfs $ getfattr -h -d symlink
getfattr: symlink: Permission denied
/tmp/mnt.ntfs $ getfattr -d symlink
/tmp/mnt.ntfs $


Running "getfattr -h -d symlink" as root does not result in an error, and chowning either the file or the symlink (chown -h), or both, to root does not affect regular user's error.

Running the same commands as regular user in the ext3 directory:

Code:
/tmp/mnt.ext3 $ umask 022
/tmp/mnt.ext3 $ touch err
/tmp/mnt.ext3 $ ln -s err symlink
/tmp/mnt.ext3 $ ls -l
total 0
-rw-r--r-- 1 user group 0 Jul  9 17:26 err
lrwxrwxrwx 1 user group 3 Jul  9 17:26 symlink -> err
/tmp/mnt.ext3 $ setfattr -h -n user.color -v blue symlink
setfattr: symlink: Operation not permitted
/tmp/mnt.ext3 $ getfattr -h -n user.color symlink
symlink: user.color: No such attribute
/tmp/mnt.ext3 $ getfattr -h -d symlink
/tmp/mnt.ext3 $ getfattr -d symlink
/tmp/mnt.ext3 $


Mon Jul 09, 2012 19:32
Profile WWW

Joined: Mon Jul 09, 2012 01:00
Posts: 7
Post Re: getfattr on non-root symlinks is denied
Just retested the problem on an old setup with non-hardened Gentoo kernel 2.6.32, ntfs3g-2010.8.8, attr-2.4.43 — same result.


Mon Jul 09, 2012 19:47
Profile WWW
NTFS-3G Lead Developer

Joined: Tue Sep 04, 2007 17:22
Posts: 1286
Post Re: getfattr on non-root symlinks is denied
Hi,

Ok, this is the faulty one, and I could reproduce it :
Quote:
Code:
/tmp/mnt.ntfs $ getfattr -h -d symlink
getfattr: symlink: Permission denied

And the bug only shows when the Posix ACLs are enabled.

Can you try the attached patch ? This is a quick one which returns with no result and no error for all special files (symlinks, fifo, sockets, etc.). I still have to check what should be done for each special type, but this may unblock you. Otherwise you may reconfigure without the option --enable-posix-acls and recompile.

Regards

Jean-Pierre


Attachments:
symlinks.patch.tar.gz [484 Bytes]
Downloaded 953 times
Mon Jul 09, 2012 21:39
Profile

Joined: Mon Jul 09, 2012 01:00
Posts: 7
Post Re: getfattr on non-root symlinks is denied
Sure, will try and report back, thanks. I am not blocked on this bug, by the way — just wanted to report an issue. NTFS-3G is indeed compiled with POSIX ACLs support here:

Code:
sys-fs/ntfs3g-2012.1.15-r1 was built with the following:
USE="acl crypt external-fuse ntfsprogs xattr -debug -extras -static-libs -suid -udev"


and

Code:
sys-fs/ntfs3g-2010.8.8 was built with the following:
USE="acl external-fuse (multilib) udev -debug -suid"


on an older setup.


Mon Jul 09, 2012 21:53
Profile WWW

Joined: Mon Jul 09, 2012 01:00
Posts: 7
Post Re: getfattr on non-root symlinks is denied
Hi, the patch fixed the problem.
Thanks!


Tue Jul 10, 2012 01:49
Profile WWW
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 11 posts ] 


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Original forum style by Vjacheslav Trushkin.