As is altogether far too common an occurance, we were having a problem
where a file was not inheriting the correct ACL, but rather a horribly
munged one resulting in incorrect permissions and security problems.
It appeared something was chmod''ing the file after creation, but
despite
best efforts we simply could not find the culprit. After much
investigation, we determined the ACL was only broken when the open
specified O_EXCL.
Upon submitting this issue to support for resolution, we were informed this
was a known problem, specifically CR#6215088. Due to a deficiency in the
NFS protocol, exclusive opens are split into an open and a setattr,
effectively chmod''ing the file upon creation.
This bug was opened in January *2005* against Solaris 9 and presumably ufs
ACL''s. Still broken for ZFS ACL''s almost 6 years later.
Understandably,
the underlying issue is with the protocol; but still you''d think 6
years
would be enough time to implement a reasonable workaround.
They didn''t fix this in the NFS 4 spec (why?), but there''s
some hope on the
distant horizon, the NFS 4.1 spec introduces the EXCLUSIVE4_1 create which
will allow an exclusive create to be done atomically rather than as two
separate operations. Of course, Solaris would need to support NFS 4.1 (no
timeline available) and all clients of interest would need to do so as well
(again no timeline available), but that''s not likely to be of much help
anytime soon.
As far as fixing the issue now? Last word from support was:
"Provide me with a detailed justification on why Oracle needs to fix this
current bug. Please include a monetary value on how this impacts your
company."
I guess fixing it because it''s *broken* just isn''t good
enough. I guess
fixing it because it''s a *security vulnerability that can result in
restricted files being world readable* just isn''t good enough either.
According to our ISO, a breach of confidential student data that triggered
the California notification law would cost us anywhere from half a million
to a million dollars, so I guess I''ll start with that number and see
what
they say. I doubt if the lawyers would let me, but if that scenario
occurred I''d do my damndest to include "This notification brought
to you
courtesy of poor Oracle software security" in the letter ;)...
--
Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst | henson at csupomona.edu
California State Polytechnic University | Pomona CA 91768
