GNU bug report logs - #16094
bug: cp/mv cannot copy/move a file's extended attrs if they start with 'security'

Previous Next

Package: coreutils;

Reported by: Linda Walsh <coreutils <at> tlinx.org>

Date: Mon, 9 Dec 2013 20:11:02 UTC

Severity: normal

Done: Pádraig Brady <P <at> draigBrady.com>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 16094 in the body.
You can then email your comments to 16094 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-coreutils <at> gnu.org:
bug#16094; Package coreutils. (Mon, 09 Dec 2013 20:11:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Linda Walsh <coreutils <at> tlinx.org>:
New bug report received and forwarded. Copy sent to bug-coreutils <at> gnu.org. (Mon, 09 Dec 2013 20:11:03 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Linda Walsh <coreutils <at> tlinx.org>
To: bug-coreutils <at> gnu.org
Subject: bug: cp/mv cannot copy/move a file's extended attrs if they start
 with 'security'
Date: Mon, 09 Dec 2013 12:09:58 -0800

I saved a file to my home directory on linux via windows.

I wanted to move it to /tmp.

I got:
>  mv  /home/law/tmp/oVars.pm /tmp
mv: setting attribute ‘security.NTACL’ for ‘security.NTACL’: Operation 
not permitted

So what's up with this?  Shouldn't the NTACL be able to be stored/moved 
with the
file?
Reply sent to Pádraig Brady <P <at> draigBrady.com>:
You have taken responsibility. (Mon, 09 Dec 2013 22:25:02 GMT) Full text and rfc822 format available.
Notification sent to Linda Walsh <coreutils <at> tlinx.org>:
bug acknowledged by developer. (Mon, 09 Dec 2013 22:25:02 GMT) Full text and rfc822 format available.

Message #10 received at 16094-done <at> debbugs.gnu.org (full text, mbox):

From: Pádraig Brady <P <at> draigBrady.com>
To: Linda Walsh <coreutils <at> tlinx.org>
Cc: 16094-done <at> debbugs.gnu.org
Subject: Re: bug#16094: bug: cp/mv cannot copy/move a file's extended attrs
 if they start with 'security'
Date: Mon, 09 Dec 2013 22:24:01 +0000

tag 16094 notabug
stop

On 12/09/2013 08:09 PM, Linda Walsh wrote:
> I saved a file to my home directory on linux via windows.
> 
> I wanted to move it to /tmp.
> 
> I got:
>>  mv  /home/law/tmp/oVars.pm /tmp
> mv: setting attribute ‘security.NTACL’ for ‘security.NTACL’: Operation not permitted
> 
> So what's up with this?  Shouldn't the NTACL be able to be stored/moved with the
> file?

This would be security policy enforced by the system I suspect.
I.E. mv is not filtering these explicitly.

thanks,
Pádraig.
Information forwarded to bug-coreutils <at> gnu.org:
bug#16094; Package coreutils. (Mon, 09 Dec 2013 23:16:01 GMT) Full text and rfc822 format available.

Message #13 received at 16094-done <at> debbugs.gnu.org (full text, mbox):

From: Linda Walsh <coreutils <at> tlinx.org>
To: Pádraig Brady <P <at> draigBrady.com>, 16094-done <at> debbugs.gnu.org
Subject: Re: bug#16094: bug: cp/mv cannot copy/move a file's extended attrs if
 they start with 'security'
Date: Mon, 09 Dec 2013 15:15:20 -0800


On 12/9/2013 2:24 PM, Pádraig Brady wrote:
>> So what's up with this?  Shouldn't the NTACL be able to be stored/moved with the
>> file?
> 
> This would be security policy enforced by the system I suspect.
> I.E. mv is not filtering these explicitly.
----
Ideas as to how?   I.e. Is it part of the gnu libraries?

I only build the "standard linux security model" into my kernel, so unless
it's a part of a fs driver or something, I'm fairly sure it is not
coming from the kernel...
Information forwarded to bug-coreutils <at> gnu.org:
bug#16094; Package coreutils. (Tue, 10 Dec 2013 08:53:02 GMT) Full text and rfc822 format available.

Message #16 received at 16094 <at> debbugs.gnu.org (full text, mbox):

From: Pádraig Brady <P <at> draigBrady.com>
To: Linda Walsh <coreutils <at> tlinx.org>
Cc: 16094 <at> debbugs.gnu.org
Subject: Re: bug#16094: bug: cp/mv cannot copy/move a file's extended attrs
 if they start with 'security'
Date: Tue, 10 Dec 2013 08:52:18 +0000

On 12/09/2013 11:15 PM, Linda Walsh wrote:
> 
> 
> On 12/9/2013 2:24 PM, Pádraig Brady wrote:
>>> So what's up with this?  Shouldn't the NTACL be able to be stored/moved with the
>>> file?
>>
>> This would be security policy enforced by the system I suspect.
>> I.E. mv is not filtering these explicitly.
> ----
> Ideas as to how?   I.e. Is it part of the gnu libraries?
> 
> I only build the "standard linux security model" into my kernel, so unless
> it's a part of a fs driver or something, I'm fairly sure it is not
> coming from the kernel...

Note since you're writing to /tmp it might be an issue with tmpfs?
Have a look at recent TMPFS_SECURITY and TMPFS_XATTR kernel options are enabled.
Also there are acl mount options that might impact here too.

thanks,
Pádraig.
Information forwarded to bug-coreutils <at> gnu.org:
bug#16094; Package coreutils. (Wed, 11 Dec 2013 00:10:02 GMT) Full text and rfc822 format available.

Message #19 received at 16094 <at> debbugs.gnu.org (full text, mbox):

From: Linda Walsh <coreutils <at> tlinx.org>
To: Pádraig Brady <P <at> draigBrady.com>
Cc: 16094 <at> debbugs.gnu.org
Subject: Re: bug#16094: bug: cp/mv cannot copy/move a file's extended attrs if
 they start with 'security'
Date: Tue, 10 Dec 2013 16:09:07 -0800


On 12/10/2013 12:52 AM, Pádraig Brady wrote:
> Note since you're writing to /tmp it might be an issue with tmpfs?
----

> df /tmp
Filesystem      Size  Used Avail Use% Mounted on
/dev/sdc2       7.8G  3.5G  4.4G  45% /tmp

xfs_info  /tmp
meta-data=/dev/sdc2              isize=256    agcount=4, agsize=519101 blks
         =                       sectsz=512   attr=2

I don't think so...


> Have a look at recent TMPFS_SECURITY and TMPFS_XATTR kernel options are enabled.
> Also there are acl mount options that might impact here too.

> zgrep TMPFS /proc/config.gz 
CONFIG_DEVTMPFS=y
CONFIG_DEVTMPFS_MOUNT=y
CONFIG_TMPFS=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_TMPFS_XATTR=y


They are enabled, but I don't think they are relevant since
/tmp is a normal xfs file system in my case.

Actually a it's a dir on /var named /var/rtmp that gets
'rbound' (rbind) to /tmp) so my root can remain relatively
static.
Information forwarded to bug-coreutils <at> gnu.org:
bug#16094; Package coreutils. (Wed, 11 Dec 2013 07:27:02 GMT) Full text and rfc822 format available.

Message #22 received at 16094 <at> debbugs.gnu.org (full text, mbox):

From: Linda Walsh <coreutils <at> tlinx.org>
To: Pádraig Brady <P <at> draigBrady.com>
Cc: 16094 <at> debbugs.gnu.org
Subject: Re: bug#16094: bug: cp/mv cannot copy/move a file's extended attrs
 if	they start with 'security'
Date: Tue, 10 Dec 2013 23:26:36 -0800

The claim is that only root can move 'security', but then why is there
a namespace for 'root' separate from the 'user' namespace?
Asked this on the xfs list. 

The thing that bugs me is that I've never
seen this message before and I've had my Win7 client copying files
to my linux disks all the time (all of my data is on linux).

So I'm trying to figure out what changed.  Seems like an easy way
to strip off unwanted ACL's.  Just use 'cp' (drops the NTACL with no error message),
or use 'mv' to a different partition.

What I'm wondering is if the posix acl's are also stored in the security
namespace.  Would make sense.  If that was the case, they'd be stripped
too.

Can't read content of a file due to ACL?  just move it to a different partition.
That can't be right...
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Wed, 08 Jan 2014 12:24:06 GMT) Full text and rfc822 format available.
This bug report was last modified 11 years and 220 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.