View Issue Details

IDProjectCategoryView StatusLast Update
0016006CentOS-7nfs-utilspublic2019-04-11 21:23
Status newResolutionopen 
Product Version7.5.1804 
Target VersionFixed in Version 
Summary0016006: NFS v4 Export of POSIX ACL directory results in stuck access (requires client system reboot)
DescriptionExporting a directory that has POSIX ACLs to an nfs client results in the client hanging forever when attempting to list contents. (the mount succeeds)
(The client system is still operational, but there are fubar'd mount references that leave it untrustable w/o reboot)

Exporting the PARENT directory instead (in the reproduction below, e.g. "/d1" instead of "/d1/sftp") (w/o POSIX ACLs) works just fine (you can traverse into the ACL enabled directory and list contents if ACL allows)

It *may* be that the ownership (root:root) and permissions (770) on this directory are involved, but again, only if this directory is the direct export, as exporting the parent has no such issue.

NOTE: having the ACL directory root:root (770) was done as a hopeful best-practice to keep it from being open-read if mounted accidentally 'noacl'.
Steps To Reproduce---------------------------------------------------------------------
[On NFS Server]


mkdir "${target_dir}"
chown root:root "${target_dir}"
chmod 770 "${target_dir}"
setfacl --modify user:${username}:rwx "${target_dir}"
setfacl --modify default:${username}:rwx "${target_dir}"

echo "${target_dir} -rw,sync,mp,no_subtree_check ${client_host}" >> /etc/exports
On Client host "client"

mkdir /a
mount ${nfs_server:?You forgot to set nfs_server}:${target_dir:?You forgot to set target_dir} /a

That all works fine, but:

ls /a/

will hang forever, and while you may be able to 'umount -f' the client is still hosed. As stated in the "Description", if i instead export "/d1", and do:
NOTE: I also tried doing an 'all_squash' with 'anonuid=sdowdy, anongid=sdowdy' to no avail (same failure)

client# mount ${nfs_server}:/d1 /a
client# ls /a
client# ls /a/sftp
Permission Denied (as expected due to root_squashing)
client# env -i TERM=$TERM /bin/su - sdowdy -c 'ls /a/sftp/'
file1 file2 ....
(as expected due to ACLs allowing 'sdowdy' access.

Additional InformationI tried a Debian 9 (stretch) client as well as a CentOS 7.6 client. I have not tried a Debian server yet, but can if someone wants to take this ticket on.

The export on the server side appears like:

server# grep /d1 /var/lib/nfs/etab
/d1/sftp client.mydomain(rw,sync,wdelay,hide,nocrossmnt,secure,root_squash,no_all_squash,no_subtree_check,secure_locks,acl,no_pnfs,mountpoint,anonuid=65534,anongid=65534,sec=sys,secure,root_squash,no_all_squash)

On the Client side:

# grep server /proc/mounts
server:/d1/sftp /c nfs4 rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr={CLIENT_IP},local_lock=none,addr={SERVER_IP} 0 0

strace on the 'ls /c' gets stuck at:

[pid 24704] stat("/c",

which i guess is expected, but not helpful.

TagsNo tags attached.


There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2019-04-11 21:23 sdowdy New Issue