Hello. I have a really weird problem with a ZFS pool on one machine, and
it''s only with 1 pool on that machine (the other pool is fine). Any
non-root users cannot access ''..'' on any directories where the
pool is mounted, eg:
/a1000 on a1000
read/write/setuid/devices/nonbmand/exec/xattr/noatime/dev=4010002 on Wed Jan 28
20:55:38 2009
/home on a1000/home
read/write/setuid/devices/nonbmand/exec/xattr/noatime/dev=4010005 on Wed Jan 28
20:55:39 2009
$ ls -ld /
drwxr-xr-x 28 root root 1024 Jan 29 10:09 /
$ ls -ld /home
drwxr-xr-x 11 root sys 11 Jan 9 14:49 /home
$ ls -ld /home/..
/home/..: Permission denied
$ ls -ld /a1000/..
/a1000/..: Permission denied
$ ls -V /
total 1065
drwxr-xr-x 2 root sys 2 Dec 1 14:39 a1000
owner@:--------------:------:deny
owner@:rwxp---A-W-Co-:------:allow
group@:-w-p----------:------:deny
group@:r-x-----------:------:allow
everyone@:-w-p---A-W-Co-:------:deny
everyone@:r-x---a-R-c--s:------:allow
drwxr-xr-x 6 root sys 6 Aug 20 11:47 appl
owner@:--------------:------:deny
owner@:rwxp---A-W-Co-:------:allow
group@:-w-p----------:------:deny
group@:r-x-----------:------:allow
everyone@:-w-p---A-W-Co-:------:deny
everyone@:r-x---a-R-c--s:------:allow
lrwxrwxrwx 1 root root 9 Jun 18 2008 bin -> ./usr/bin
drwxr-xr-x 3 root sys 512 Jan 28 18:49 boot
0:user::rwx
1:group::r-x #effective:r-x
2:mask:r-x
3:other:r-x
drwxr-xr-x 19 root sys 7680 Jan 28 20:54 dev
0:user::rwx
1:group::r-x #effective:r-x
2:mask:r-x
3:other:r-x
drwxr-xr-x 2 root sys 512 Jan 28 20:53 devices
0:user::rwx
1:group::r-x #effective:r-x
2:mask:r-x
3:other:r-x
drwxr-xr-x 80 root sys 4608 Jan 29 09:40 etc
0:user::rwx
1:group::r-x #effective:r-x
2:mask:r-x
3:other:r-x
drwxr-xr-x 2 root sys 512 Jun 18 2008 export
0:user::rwx
1:group::r-x #effective:r-x
2:mask:r-x
3:other:r-x
drwxr-xr-x 11 root sys 11 Jan 9 14:49 home
owner@:--------------:------:deny
owner@:rwxp---A-W-Co-:------:allow
group@:-w-p----------:------:deny
group@:r-x-----------:------:allow
everyone@:-w-p---A-W-Co-:------:deny
everyone@:r-x---a-R-c--s:------:allow
drwxr-xr-x 15 root sys 512 Jun 18 2008 kernel
0:user::rwx
1:group::r-x #effective:r-x
2:mask:r-x
3:other:r-x
drwxr-xr-x 7 root bin 5632 Jan 28 19:50 lib
0:user::rwx
1:group::r-x #effective:r-x
2:mask:r-x
3:other:r-x
drwx------ 2 root root 8192 Jun 18 2008 lost+found
0:user::rwx
1:group::--- #effective:---
2:mask:---
3:other:---
drwxr-xr-x 2 root sys 512 Jun 18 2008 mnt
0:user::rwx
1:group::r-x #effective:r-x
2:mask:r-x
3:other:r-x
dr-xr-xr-x 2 root root 512 Jun 18 2008 net
0:user::r-x
1:group::r-x #effective:r-x
2:mask:r-x
3:other:r-x
-rw-r--r-- 1 root root 0 Jun 18 2008 noautoshutdown
0:user::rw-
1:group::r-- #effective:r--
2:mask:r--
3:other:r--
drwxr-xr-x 7 root sys 7 Jan 28 15:50 opt
owner@:--------------:------:deny
owner@:rwxp---A-W-Co-:------:allow
group@:-w-p----------:------:deny
group@:r-x-----------:------:allow
everyone@:-w-p---A-W-Co-:------:deny
everyone@:r-x---a-R-c--s:------:allow
drwxr-xr-x 40 root sys 1536 Jun 18 2008 platform
0:user::rwx
1:group::r-x #effective:r-x
2:mask:r-x
3:other:r-x
drwxr-xr-x 2 root sys 2 Jul 29 2008 pool
owner@:--------------:------:deny
owner@:rwxp---A-W-Co-:------:allow
group@:-w-p----------:------:deny
group@:r-x-----------:------:allow
everyone@:-w-p---A-W-Co-:------:deny
everyone@:r-x---a-R-c--s:------:allow
dr-xr-xr-x 76 root root 480032 Jan 29 10:23 proc
0:user::r-x
1:group::r-x #effective:r-x
2:mask:rwx
3:other:r-x
drwxr-x--- 12 root root 1024 Jan 29 10:09 root
0:user::rwx
1:group::r-x #effective:r-x
2:mask:r-x
3:other:---
drwxr-xr-x 2 root sys 1024 Jan 28 19:37 sbin
0:user::rwx
1:group::r-x #effective:r-x
2:mask:r-x
3:other:r-x
-rw-rw-rw- 1 root root 1576 Oct 15 12:40 sybinit.err
0:user::rw-
1:group::rw- #effective:rw-
2:mask:rw-
3:other:rw-
drwxr-xr-x 4 root root 512 Jun 18 2008 system
0:user::rwx
1:group::r-x #effective:r-x
2:mask:r-x
3:other:r-x
drwxrwxrwx 2 root root 512 Dec 16 11:26 tftpboot
0:user::rwx
1:group::rwx #effective:rwx
2:mask:rwx
3:other:rwx
drwxrwxrwt 3 root sys 1063 Jan 29 10:21 tmp
0:user::rwx
1:group::rwx #effective:rwx
2:mask:rwx
3:other:rwx
drwxr-xr-x 42 root sys 1024 Jan 28 16:43 usr
0:user::rwx
1:group::r-x #effective:r-x
2:mask:r-x
3:other:r-x
drwxr-xr-x 45 root sys 1024 Jan 28 18:15 var
0:user::rwx
1:group::r-x #effective:r-x
2:mask:r-x
3:other:r-x
drwxr-xr-x 2 root root 512 Jun 18 2008 vol
0:user::rwx
1:group::r-x #effective:r-x
2:mask:r-x
3:other:r-x
$ ls -V /home
total 99
drwxr-x--- 2 alan users 4 Jan 9 14:49 alan
owner@:--------------:------:deny
owner@:rwxp---A-W-Co-:------:allow
group@:-w-p----------:------:deny
group@:r-x-----------:------:allow
everyone@:rwxp---A-W-Co-:------:deny
everyone@:------a-R-c--s:------:allow
drwxr-xr-x 4 dkelbley sysadmin 8 Nov 15 20:21 dkelbley
owner@:--------------:------:deny
owner@:rwxp---A-W-Co-:------:allow
group@:-w-p----------:------:deny
group@:r-x-----------:------:allow
everyone@:-w-p---A-W-Co-:------:deny
everyone@:r-x---a-R-c--s:------:allow
drwxr-xr-x 18 dmarques users 60 Jan 29 09:50 dmarques
owner@:--------------:------:deny
owner@:rwxp---A-W-Co-:------:allow
group@:-w-p----------:------:deny
group@:r-x-----------:------:allow
everyone@:-w-p---A-W-Co-:------:deny
everyone@:r-x---a-R-c--s:------:allow
drwxr-xr-x 5 frank users 78 Jan 27 08:06 frank
owner@:--------------:------:deny
owner@:rwxp---A-W-Co-:------:allow
group@:-w-p----------:------:deny
group@:r-x-----------:------:allow
everyone@:-w-p---A-W-Co-:------:deny
everyone@:r-x---a-R-c--s:------:allow
drwxr-xr-x 2 root sys 2 Jul 17 2008 ftp
owner@:--------------:------:deny
owner@:rwxp---A-W-Co-:------:allow
group@:-w-p----------:------:deny
group@:r-x-----------:------:allow
everyone@:-w-p---A-W-Co-:------:deny
everyone@:r-x---a-R-c--s:------:allow
drwxr-xr-x 108 root root 108 Jan 29 09:40 layerx
owner@:--------------:------:deny
owner@:rwxp---A-W-Co-:------:allow
group@:-w-p----------:------:deny
group@:r-x-----------:------:allow
everyone@:-w-p---A-W-Co-:------:deny
everyone@:r-x---a-R-c--s:------:allow
drwxr-x--- 2 netcool ncoadmin 5 Nov 7 15:29 netcool
owner@:--------------:------:deny
owner@:rwxp---A-W-Co-:------:allow
group@:-w-p----------:------:deny
group@:r-x-----------:------:allow
everyone@:rwxp---A-W-Co-:------:deny
everyone@:------a-R-c--s:------:allow
drwxr-x--- 4 root root 5 Nov 7 08:56 phoenix
owner@:--------------:------:deny
owner@:rwxp---A-W-Co-:------:allow
group@:-w-p----------:------:deny
group@:r-x-----------:------:allow
everyone@:rwxp---A-W-Co-:------:deny
everyone@:------a-R-c--s:------:allow
drwxr-xr-x 4 sti users 8 Aug 27 17:34 sti
owner@:--------------:------:deny
owner@:rwxp---A-W-Co-:------:allow
group@:-w-p----------:------:deny
group@:r-x-----------:------:allow
everyone@:-w-p---A-W-Co-:------:deny
everyone@:r-x---a-R-c--s:------:allow
$ ls -V /home/..
/home/..: Permission denied
However .. does work in subdirectories. ''zfs get all'' on both
pools match:
# zfs get all a1000
NAME PROPERTY VALUE SOURCE
a1000 type filesystem -
a1000 creation Wed Oct 8 12:19 2008 -
a1000 used 16.9G -
a1000 available 148G -
a1000 referenced 60.9K -
a1000 compressratio 1.03x -
a1000 mounted yes -
a1000 quota none default
a1000 reservation none default
a1000 recordsize 128K default
a1000 mountpoint /a1000 default
a1000 sharenfs off default
a1000 checksum on default
a1000 compression on local
a1000 atime off local
a1000 devices on default
a1000 exec on default
a1000 setuid on default
a1000 readonly off default
a1000 zoned off default
a1000 snapdir hidden default
a1000 aclmode groupmask default
a1000 aclinherit restricted default
a1000 canmount on default
a1000 shareiscsi off default
a1000 xattr on default
a1000 copies 1 default
a1000 version 1 -
a1000 utf8only off -
a1000 normalization none -
a1000 casesensitivity sensitive -
a1000 vscan off default
a1000 nbmand off default
a1000 sharesmb off default
a1000 refquota none default
a1000 refreservation none default
Any ideas?
Thanks!
-Dustin
--
This message posted from opensolaris.org
Forgot to add that a truss shows:
14960: lstat64("/a1000/..", 0xFFBFF7E8) Err#13 EACCES
[file_dac_search]
ppriv shows the error in UFS:
$ ppriv -e -D -s -file_dac_search ls -ld /a1000/..
ls[15022]: missing privilege "file_dac_search" (euid = 100, syscall =
216) needed at ufs_iaccess+0x110
/a1000/..: Permission denied
However seeing as it only happens for mounts on that 1 ZFS pool, it being a UFS
problem seems highly unlikely.
--
This message posted from opensolaris.org
Dustin Marquess wrote:> Forgot to add that a truss shows: > > 14960: lstat64("/a1000/..", 0xFFBFF7E8) Err#13 EACCES [file_dac_search] > > ppriv shows the error in UFS: > > $ ppriv -e -D -s -file_dac_search ls -ld /a1000/.. > ls[15022]: missing privilege "file_dac_search" (euid = 100, syscall = 216) needed at ufs_iaccess+0x110 > /a1000/..: Permission denied > > However seeing as it only happens for mounts on that 1 ZFS pool, it being a UFS problem seems highly unlikely.unmount the file system and look at the permission on the UFS mountpoint directory /a1000. They will probably be 0700 or something similar. -Mark
Bingo, they were 0750. Thanks so much, that was the one thing I didn''t think of. I thought I was going crazy :). Thanks again! -Dustin -- This message posted from opensolaris.org