Unexpected access denied issues on Webfarm

Summary

An issue has been discovered in the implementation of Access Control Lists (ACLs) over Network File System (NFS) on the infrastructure now supporting the University Web Farm whereby some attributes of the ACL are not correctly inherited which can cause access issues to “writeable” directories.

A fix for this bug is not currently available from the upstream vendor. A workaround is available below.

Applies to

This advisory applies to any web developer or author who:

  1. writes or uses custom PHP code to create files or directories on the webfarm
  2. uses cron jobs which create files or directories on the webfarm
  3. uses ssh via www-admin to create files or directories on the webfarm

Some web authors using third party PHP applications may also be affected.

Description

The university web infrastructure relies heavily on the correct functioning of ACLs to ensure web authors and the web servers retain the correct access to files and directories for the updating and functioning of university websites.

When a directory is created on an NFS client within a directory protected by a POSIX ACL with a default mask applied the mask is not correctly applied to the resulting file/directory.

The mask is used to calculate the maximum permission set that this ACL is allowed to provide. We set these to “rwx” which

Correctly inherited ACLs have the following attributes:

mask::rwx
default:mask::rwx

When a file or directory is created over NFS then the mask may be incorrectly applied as:

mask::r-x
default:mask::rwx

The upshot of this incorrect calculation of the mask is that any further access granted via this ACL does not include the “write” permission. The owner of the file is not affected by this bug (as it gets its permission via the traditional UNIX permissions) but other users granted access via the publishing group will be affected.

It is anticipated that this will only affect websites using the “writeable” feature to store files.

Workaround

Various different applications of this workaround are required:

  1. Change the default umask for PHP applications on the webfarm to 0007. This is being rolled out by Information Services as CR8907 and CR8908 and should mitigate the issue for most users.
  2. Web developers using the PHP mkdir() function call and specifying a create mode (e.g. mkdir("dir1", 0755)) will continue to experience this issue and will need to update their code to either not specify a mode or explicitly use 0777 (e.g. mkdir("dir1") or mkdir("dir1", 0777)).
  3. Web developers using cron jobs to access their publishing areas via cron or ssh will need to explicitly set the umask of their jobs by executing the following either as they log in via ssh or at the top of cron jobs:

    umask 0007

If the problem has already occurred resulting in unexpected “Access denied” type errors then the problem should be logged with the IT Helpdesk who can arrange for the broken ACLs to be fixed.

Further reading

Some further details are available from the vendor https://access.redhat.com/solutions/447803

Leave a Reply