Hardlinks and symlinks work, but can't create a hardlink to a symlink

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Hardlinks and symlinks work, but can't create a hardlink to a symlink

Alexander Dorokhine
Dear fuse-devel;

I'm trying to make a filesystem I can use for backups, so having "cp -al" work properly is important to me. However, currently this command dies when trying to cp any folder containing symlinks.

The cause is that my filesystem doesn't seem to allow hardlinking a symlink:
$ echo hi > a
$ ln -s a a.symlink
$ ln a a.hardlink
$ ln a.symlink a.symlink.hardlink
ln: failed to create hard link ‘a.symlink.hardlink’ => ‘a.symlink’: Operation not permitted


I straced the 'ln' call and the failing call seems to be this:
stat("a.symlink.hardlink", 0x7fffdfc6ff20) = -1 ENOENT (No such file or directory)
lstat("a.symlink", {st_mode=S_IFLNK, st_size=0, ...}) = 0
linkat(AT_FDCWD, "a.symlink", AT_FDCWD, "a.symlink.hardlink", 0) = -1 EPERM (Operation not permitted)


But on my side the link() implementation doesn't even seem to get called. Debug output looks like this:
unique: 221, opcode: LOOKUP (1), nodeid: 1, insize: 59, pid: 20373
LOOKUP /a.symlink.hardlink
getattr /a.symlink.hardlink
   unique: 221, error: -2 (No such file or directory), outsize: 16
unique: 222, opcode: LOOKUP (1), nodeid: 1, insize: 50, pid: 20373
LOOKUP /a.symlink
getattr /a.symlink
   NODEID: 10
   unique: 222, success, outsize: 144
unique: 223, opcode: LOOKUP (1), nodeid: 1, insize: 59, pid: 20373
LOOKUP /a.symlink.hardlink
getattr /a.symlink.hardlink
   unique: 223, error: -2 (No such file or directory), outsize: 16


Anyone know what I'm doing wrong?

This is fuse 2.9.2 on linux 3.13.0.

Thanks!
Alex

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532
--
fuse-devel mailing list
To unsubscribe or subscribe, visit https://lists.sourceforge.net/lists/listinfo/fuse-devel
Reply | Threaded
Open this post in threaded view
|

Re: Hardlinks and symlinks work, but can't create a hardlink to a symlink

Alexander Dorokhine
After further googling I discovered this linux kernel patch:
http://www.openwall.com/lists/kernel-hardening/2012/02/18/6

This restricts hardlink creation in the following circumstances:

+ * Block hardlink when all of:
+ *  - sysctl_protected_nonaccess_hardlinks enabled
+ *  - fsuid does not match inode
+ *  - at least one of:
+ *    - inode is not a regular file
+ *    - inode is setuid
+ *    - inode is setgid and group-exec
+ *    - access failure for read and write
+ *  - not CAP_FOWNER

I found another post here about how to turn this off:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721594

And indeed, after I did "echo 0 | sudo tee /proc/sys/fs/protected_hardlinks", this operation started working.

Does anyone know which of these restrictions my case violates and what the "proper fix" would be?

dmesg log:
[22345.267280] type=1702 audit(1460273346.328:72): op=linkat ppid=20378 pid=20381 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts17 ses=4294967295 comm="ln" exe="/bin/ln" res=0
[22345.267298] type=1302 audit(1460273346.328:73): item=0 name="/tmp/ufs/a.symlink" inode=7 dev=00:19 mode=0120000 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL

Thanks!
Alex

On 10 April 2016 at 00:33, Alexander Dorokhine <[hidden email]> wrote:
Dear fuse-devel;

I'm trying to make a filesystem I can use for backups, so having "cp -al" work properly is important to me. However, currently this command dies when trying to cp any folder containing symlinks.

The cause is that my filesystem doesn't seem to allow hardlinking a symlink:
$ echo hi > a
$ ln -s a a.symlink
$ ln a a.hardlink
$ ln a.symlink a.symlink.hardlink
ln: failed to create hard link ‘a.symlink.hardlink’ => ‘a.symlink’: Operation not permitted


I straced the 'ln' call and the failing call seems to be this:
stat("a.symlink.hardlink", 0x7fffdfc6ff20) = -1 ENOENT (No such file or directory)
lstat("a.symlink", {st_mode=S_IFLNK, st_size=0, ...}) = 0
linkat(AT_FDCWD, "a.symlink", AT_FDCWD, "a.symlink.hardlink", 0) = -1 EPERM (Operation not permitted)


But on my side the link() implementation doesn't even seem to get called. Debug output looks like this:
unique: 221, opcode: LOOKUP (1), nodeid: 1, insize: 59, pid: 20373
LOOKUP /a.symlink.hardlink
getattr /a.symlink.hardlink
   unique: 221, error: -2 (No such file or directory), outsize: 16
unique: 222, opcode: LOOKUP (1), nodeid: 1, insize: 50, pid: 20373
LOOKUP /a.symlink
getattr /a.symlink
   NODEID: 10
   unique: 222, success, outsize: 144
unique: 223, opcode: LOOKUP (1), nodeid: 1, insize: 59, pid: 20373
LOOKUP /a.symlink.hardlink
getattr /a.symlink.hardlink
   unique: 223, error: -2 (No such file or directory), outsize: 16


Anyone know what I'm doing wrong?

This is fuse 2.9.2 on linux 3.13.0.

Thanks!
Alex


------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532
--
fuse-devel mailing list
To unsubscribe or subscribe, visit https://lists.sourceforge.net/lists/listinfo/fuse-devel
Reply | Threaded
Open this post in threaded view
|

Re: Hardlinks and symlinks work, but can't create a hardlink to a symlink

Alexander Dorokhine
Friendly bump :) does anyone have any idea how I would fix this?

On 10 April 2016 at 00:48, Alexander Dorokhine <[hidden email]> wrote:
After further googling I discovered this linux kernel patch:
http://www.openwall.com/lists/kernel-hardening/2012/02/18/6

This restricts hardlink creation in the following circumstances:

+ * Block hardlink when all of:
+ *  - sysctl_protected_nonaccess_hardlinks enabled
+ *  - fsuid does not match inode
+ *  - at least one of:
+ *    - inode is not a regular file
+ *    - inode is setuid
+ *    - inode is setgid and group-exec
+ *    - access failure for read and write
+ *  - not CAP_FOWNER

I found another post here about how to turn this off:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721594

And indeed, after I did "echo 0 | sudo tee /proc/sys/fs/protected_hardlinks", this operation started working.

Does anyone know which of these restrictions my case violates and what the "proper fix" would be?

dmesg log:
[22345.267280] type=1702 audit(1460273346.328:72): op=linkat ppid=20378 pid=20381 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts17 ses=4294967295 comm="ln" exe="/bin/ln" res=0
[22345.267298] type=1302 audit(1460273346.328:73): item=0 name="/tmp/ufs/a.symlink" inode=7 dev=00:19 mode=0120000 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL

Thanks!
Alex

On 10 April 2016 at 00:33, Alexander Dorokhine <[hidden email]> wrote:
Dear fuse-devel;

I'm trying to make a filesystem I can use for backups, so having "cp -al" work properly is important to me. However, currently this command dies when trying to cp any folder containing symlinks.

The cause is that my filesystem doesn't seem to allow hardlinking a symlink:
$ echo hi > a
$ ln -s a a.symlink
$ ln a a.hardlink
$ ln a.symlink a.symlink.hardlink
ln: failed to create hard link ‘a.symlink.hardlink’ => ‘a.symlink’: Operation not permitted


I straced the 'ln' call and the failing call seems to be this:
stat("a.symlink.hardlink", 0x7fffdfc6ff20) = -1 ENOENT (No such file or directory)
lstat("a.symlink", {st_mode=S_IFLNK, st_size=0, ...}) = 0
linkat(AT_FDCWD, "a.symlink", AT_FDCWD, "a.symlink.hardlink", 0) = -1 EPERM (Operation not permitted)


But on my side the link() implementation doesn't even seem to get called. Debug output looks like this:
unique: 221, opcode: LOOKUP (1), nodeid: 1, insize: 59, pid: 20373
LOOKUP /a.symlink.hardlink
getattr /a.symlink.hardlink
   unique: 221, error: -2 (No such file or directory), outsize: 16
unique: 222, opcode: LOOKUP (1), nodeid: 1, insize: 50, pid: 20373
LOOKUP /a.symlink
getattr /a.symlink
   NODEID: 10
   unique: 222, success, outsize: 144
unique: 223, opcode: LOOKUP (1), nodeid: 1, insize: 59, pid: 20373
LOOKUP /a.symlink.hardlink
getattr /a.symlink.hardlink
   unique: 223, error: -2 (No such file or directory), outsize: 16


Anyone know what I'm doing wrong?

This is fuse 2.9.2 on linux 3.13.0.

Thanks!
Alex



------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
--
fuse-devel mailing list
To unsubscribe or subscribe, visit https://lists.sourceforge.net/lists/listinfo/fuse-devel