git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Chuck Lever <chuck.lever@oracle.com>
	Wed, 19 Nov 2025 00:51:19 +0000 (19:51 -0500)
committer	Chuck Lever <chuck.lever@oracle.com>
	Thu, 18 Dec 2025 16:19:11 +0000 (11:19 -0500)
commit	913f7cf77bf14c13cfea70e89bcb6d0b22239562
tree	7f5b09b23c31538dc7fbc7f380dff1d7a05efb13	tree \| snapshot
parent	ad3cbbb0c1892c48919727fcb8dec5965da8bacb	commit \| diff

NFSD: NFSv4 file creation neglects setting ACL

An NFSv4 client that sets an ACL with a named principal during file
creation retrieves the ACL afterwards, and finds that it is only a
default ACL (based on the mode bits) and not the ACL that was
requested during file creation. This violates RFC 8881 section
6.4.1.3: "the ACL attribute is set as given".

The issue occurs in nfsd_create_setattr(), which calls
nfsd_attrs_valid() to determine whether to call nfsd_setattr().
However, nfsd_attrs_valid() checks only for iattr changes and
security labels, but not POSIX ACLs. When only an ACL is present,
the function returns false, nfsd_setattr() is skipped, and the
POSIX ACL is never applied to the inode.

Subsequently, when the client retrieves the ACL, the server finds
no POSIX ACL on the inode and returns one generated from the file's
mode bits rather than returning the originally-specified ACL.

Reported-by: Aurélien Couderc <aurelien.couderc2002@gmail.com>
Fixes: c0cbe70742f4 ("NFSD: add posix ACLs to struct nfsd_attrs")
Cc: Roland Mainz <roland.mainz@nrubsig.org>
Cc: stable@vger.kernel.org
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>