-
-
Notifications
You must be signed in to change notification settings - Fork 180
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix PermissionDeniedException in NativeBroker.defragXMLresource #5311
Open
line-o
wants to merge
4
commits into
eXist-db:develop
Choose a base branch
from
line-o:fix/defragxmlresource
base: develop
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
fe48be4
[bugfix] do not set permissions on temporary document
line-o e6edd24
[test] address code review in UpdateInsertTriggersDefrag
line-o cf0ec0f
[bugfix] revert to previous constructor call for tempDoc in defragXML…
line-o 6d21c25
Remove resource leak
dizzzz File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think just removing this is the correct or secure solution. Can you write a bit more detail in the description of the PR about exactly what the problem was please, that might help me to suggest a better solution.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The commit message body has some more detail.
I hope this clarifies the motivation and justification.
I would like to point out that we arrived at this solution together with @wolfgangmm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please only block PRs where you have either proof that it creates a problem or at least share the thoughts what the issue might be.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Obviously!
I am concerned that the temporary document which looks persistent to me is not correctly initialised, also I am concerned that the security on it is now too relaxed, this could lead to a data leak/exploit.
Can you clearly describe the initial problem that you are trying to solve in the PR description please. For example, something like: There is an active user
U
with the security profiles(U)
, there is documentD
with the permissionsp(D)
, when the actionA
is executed by the subjectAS
with security profiles(AS)
, it is rejected becauses(AS)
is incompatible withp(D)
.Obviously you need to replace the symbols above with the actual details.
It just discusses the solution you arrived at, it does not clearly describe the problem you were trying to solve.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was debugging this code with Juri yesterday and as the original author of the defrag method, I confirm that the offending line
tempDoc.copyOf(this, doc, doc);
is not only unnecessary here, but can cause database corruption. ThetempDoc
is only used as a temporary container for copying nodes during defrag and is thrown away afterwards! Original permissions and ownership on the resource are not affected by thedefragXMLResource
operation in any way, because thetempDoc
is never written. What is written is the original DocumentImpl, which still has the proper permissions and ownership.It seems I originally added the call to
tempDoc.copyOf
19 years ago and it was preserved during a series of refactorings later though the implementation ofDocumentImpl
had changed to the point that it now may actually cause a corruption when called in this case.Please be aware that this issue is a ticking time bomb that will lead to data wipe out!!! Together with the even more fatal #5296 (because it's easier to run into) this is absolutely worth a hotfix, so I would give it a thumbs up, not excluding that more improvements could be done at a later point.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @wolfgangmm thanks for your reply. It is interesting to hear about these symptoms, and it does sound like something needs to be fixed. However, the actual original issue and its cause remain unclear. I would like further information please so that we may all understand it...
Could you explain how that is possible please? As I understood it from @line-o's description there was a
PermissionDeniedException
which has not yet been explained. I am not sure how aPermissionDeniedException
, which is a genuine way of forbidding a subject from doing something they are not allowed to do, could cause a database corruption here?I did not expect that they would be.
Okay.
What I (and presumably others) don't yet understand, and what has not yet been explained, is how can the current approach that places the same permissions onto
tempDoc
as the original resource that is to be defragmented, cause aPermissionDeniedException
(and then also if I now understand you, a subsequent database corruption)?I agree that it sounds like it needs to be fixed. At the moment I don't have enough information to see if the proposed fix correctly addresses the cause. I trust you and @line-o will provide the requested information about the underlying issue and cause...
Let's consider that separately. As at the moment #5296 is blocked by work that is still needed to address issues introduced in #5276 which itself was rushed and merged in violation of the agreed community process for reviewing and merging PRs.
From what you have said so far, I agree. We just need more information to be able to complete the review of this PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@line-o added some information about how to reproduce the issue. It requires a certain combination of permissions. The corruption occurs because the PermissionDeniedException aborts the defrag process after some steps have already been applied. Therefore another way to prevent this might be to move the offending code further up to the start of the method. We did not follow this route as dropping the line is the cleaner way to solve the issue.
The PermissionDeniedException is eventually thrown in line 664 of
DocumentImpl#copyOf
:why this happens I cannot explain entirely and it seems very weird that the owners would be different. It must be related to the setgid. But in itself it has nothing to do with the actual defrag routine and points to another bug in permission handling.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, the root issue this PR tries to solve is the database corruption resulting from the defrag operation. The only correct resolution for this is to fix defrag, which we did. I strongly object against calling a fix a workaround.
Fixing the permission issue may help with other operations, but won't change this PR in any way.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wolfgangmm I think you have accidentally deleted or overwritten my comments
@wolfgangmm Are you able to restore my comments please? If not, I can try and re-create them...