Return to BSD News archive
Newsgroups: comp.unix.bsd
Path: sserve!manuel.anu.edu.au!munnari.oz.au!spool.mu.edu!sdd.hp.com!saimiri.primate.wisc.edu!caen!hellgate.utah.edu!fcom.cc.utah.edu!cs.weber.edu!terry
From: terry@cs.weber.edu (A Wizard of Earth C)
Subject: Re: 386BSD - Bug in UFS file system + proposed fix
Message-ID: <1992Dec16.211422.3663@fcom.cc.utah.edu>
Sender: news@fcom.cc.utah.edu
Organization: Weber State University (Ogden, UT)
References: <1992Dec16.012248.8123@moxie.hou.tx.us>
Date: Wed, 16 Dec 92 21:14:22 GMT
Lines: 54
In article <1992Dec16.012248.8123@moxie.hou.tx.us> hackney@moxie.hou.tx.us (Greg Hackney) writes:
>[ I posted this once, but I'm reasonably sure it didn't make it out ]
>
>There is a major bug in the 386BSD UFS code relating to file permissions.
>The major symptom is:
>
> Can't read most files that you don't own on a remote NFS 386BSD system,
> although there is public read permission, i.e.:
>
>-r--r--r-- 1 root other 5 Dec 15 19:15 /tmp/hell
>
>A very minor symptom is you can't read some LOCAL files, although
>there is public read permission, i.e. a file that looks like:
>
>-------r-- 1 root other 5 Dec 15 19:15 /tmp/hell
>
>[ This functionality seems broken on SunOS 4.1 too, but not on USL S5R4. ]
[ ... fix deleted ... ]
This fix seems a bad thing. In particular, you *don't* want to allow a
file which is world read or world execute to be read/executed by someone
who is a member of a group denied access.
For instance, the group png (personna non grata) could be the group owner
of telnet, ftp, and other outgoing network utilities.
If the permisssion on the file are:
-r-x---r-x 1 root png 42610 Nov 10 20:10 telnet
Then people in the group png will be denied the ability to run telnet. This
idea is called an exclusion group, and is correct behaviour.
Perhaps the reason you are having NFS problems is because unknown users
and root users from a remote system are translate to UID -1 and -2 unless
you specify that root access is allowed on the remote machine in the
/etc/exports file (your example seems to indicate you were logged in as
root when you tried this).
Admittedly, there are some permission comparison problems, but these are
pretty well isolated, and will probably be more tha a one or two line fix.
Terry Lambert
terry@icarus.weber.edu
terry_lambert@novell.com
---
Any opinions in this posting are my own and not those of my present
or previous employers.
--
-------------------------------------------------------------------------------
"I have an 8 user poetic license" - me
Get the 386bsd FAQ from agate.berkeley.edu:/pub/386BSD/386bsd-0.1/unofficial
-------------------------------------------------------------------------------