#762339 uaccess creates stray empty group ACL overriting regular group permissions

Package:
libacl1
Source:
acl
Description:
access control list - shared library
Submitter:
Michael Tokarev
Date:
2014-10-02 16:03:12 UTC
Severity:
important
#762339#5
Date:
2014-09-21 10:55:24 UTC
From:
To:
This is a generic problem, but I'll use just one example of
its action, on /dev/kvm device node.

In short, on any kvm (svm|vmx) capable x86 system these days,
kvm module gets loaded and /dev/kvm device node is created.
But without udev rules file from qemu-kvm which assigns
group permissions to this node, and with presence of systemd,
this device node receives wrong ACL, like this:

 # ls -l /dev/kvm; getfacl /dev/kvm
 crw-rw----+ 1 root root 10, 232 сен 21 18:45 /dev/kvm
 # file: dev/kvm
 # owner: root
 # group: root
 user::rw-
 user:Debian-gdm:rw-
 group::---
 mask::rw-
 other::---

Note that even if the regular unix permissions have "rw" for
group, there's one more ACL present for the file, "group::---",
which effectively turns off regular unix group permissions.

/dev/kvm is listed in 70-uaccess.rules:

 SUBSYSTEM=="misc", KERNEL=="kvm", TAG+="uaccess"

but this is one of very few devices which comes without group
rw permissions from the kernel initially.

The problematic place is the systemd sources, src/login/logind-acl.c,
devnode_acl() function.  I added some debug printfs to this function,
after each section of this function printing acl and stat(2) info
from the file, and got this for /dev/kvm:

 initial: user::rw-,group::---,other::--- (mode=020600 uid=0 gid=0)

 after flush: user::rw-,group::---,other::--- (mode=020600)
 after add: user::rw-,user:Debian-gdm:rw-,group::---,other::--- (mode=020600)
 after mask: user::rw-,user:Debian-gdm:rw-,group::---,mask::rw-,other::--- (mode=020600)
 after final set: user::rw-,user:Debian-gdm:rw-,group::---,mask::rw-,other::--- (mode=020660)

Note that after the final acl_set_file(), regular unix
perms are changed too (which probably should not), but
the stray empty group ACL entry is kept.

Now the more I think about this, the more this looks
like libacl bug...  Hopefully not kernel :)

Thanks,

/mjt
#762339#10
Date:
2014-09-21 11:48:24 UTC
From:
To:
I can reproduce this without udev too, so the prob is not udev.

 cd /dev
 rm -f foo
 touch foo
 chmod 0600 foo
 setfacl -m 'user::rw-,user:daemon:rw-,group::---,mask::rw-,other::---' foo

this creates the same ACL entry as the one I found for /dev/kvm.

Without the 'group::---' part of setfacl, it works correctly.

So it looks like it is libacl who is at fault here.  But given the
current interface and all the users of this interface, I'm not
sure at all how this can be solved.  Possible solution is to
stop returning fake acl from unix permission bits, but I guess
it is just too much.

BTW, for some reason, setting an ACL like this changes file group
access bits too, from --- to rw-, which is the same as the acl
mask.  After removing the ACL (setfacl -b), these extra bits
stay.  This might be a bug in the kernel (both changing group
perms in the first place and keeping the changed bits after
removing the acl), but this looks like a different issue or
question.

Thanks,

/mjt
#762339#15
Date:
2014-09-21 18:20:31 UTC
From:
To:
reassign 762339 libacl1
thanks
Am 21.09.2014 um 13:48 schrieb Michael Tokarev:

Thanks for the analysis, reassigning to libacl1.

If there is actually something which needs to be fixed on the systemd
sid, please clone/re-assign accordingly.