Complete
Details
Assignee
Andrew WalkerAndrew WalkerReporter
Andrew WalkerAndrew WalkerLabels
Time remaining
0mComponents
Fix versions
Affects versions
Priority
Low
Details
Details
Assignee
Andrew Walker
Andrew WalkerReporter
Andrew Walker
Andrew WalkerLabels
Time remaining
0m
Components
Fix versions
Affects versions
Priority
LowKatalon Platform
Katalon Platform
Katalon Platform
Created February 9, 2022 at 2:42 PM
Updated July 11, 2022 at 3:41 PM
Resolved February 10, 2022 at 9:25 PM
For Linux NFS kernel server ops, fsuid and fsgid in
cred are populated with ids that operation is
being performed as, but euid and egid remain 0.
In Linux when setresuid(2) and setresgid(2) are
called, the fsuid and fsgid are set to the euid
and egid respectively.
This PR changes ZFS ACL checks to evaluate
fsuid / fsgid rather than euid / egid to avoid
accidentally granting elevated permissions to
NFS clients.
Additionally, CAP_SYS_ADMIN is granted to nfsd
process, and so override for this capability in
access2 policy check is removed in favor of
simple check for fsid == 0. Checks for
CAP_DAC_OVERRIDE and other override capabilities
are kept as-is.