I've CC'd linux-nfs in case anyone there has some insight
as to why listxattr() is more restrictive on NFS than locally,
returning EACCES for files without read access. Details below...

On 09/01/2025 04:55, Paul Eggert wrote:
Thanks, but is this part of the change needed?

+  else if (f->acl_type == ACL_T_UNKNOWN)
+    modebuf[10] = '?';

I thought modebuf[10] was already '?' at that point.

Only if the stat() failed, which is not the case here.

Note it's worth mentioning that over NFS with unreadable files
you can GET the security.selinux xattr, but you can't LIST any xattrs:

  $ strace -e trace=/.*xattr.* attr -S -g selinux /mnt/nfs/file
  lgetxattr("/mnt/nfs/file", "security.selinux", "system_u:object_r:nfs_t:s0", 
65536) = 27
  Attribute "selinux" had a 27 byte value for /mnt/nfs/file:
  system_u:object_r:nfs_t:s0
  +++ exited with 0 +++

  $ strace -e trace=/.*xattr.* attr -S -l /mnt/nfs/file
  llistxattr("/mnt/nfs/file", 0x7ffc92de48a0, 65536) = -1 EACCES (Permission 
denied)
  attr_list: Permission denied
  Could not list /mnt/nfs/file

Also there was a change since coreutils v9.5 where we don't call the GET,
whereas coreutils 9.5 did call lgetxattr() and thus showed the correct (.) flag
(albeit with the problematic warning):

  $ strace -e trace=/.*xattr.* src/ls -l /mnt/nfs/file
  llistxattr("/mnt/nfs/file", 0x7ffe1e5b7b6c, 152) = -1 EACCES (Permission 
denied)
  --w-------? 1 padraig padraig 0 Jan  8 20:42 /mnt/nfs/file
  +++ exited with 0 +++

  $ strace -e trace=/.*xattr.* ls-v9.5 -l /mnt/nfs/file
  lgetxattr("/mnt/nfs/file", "security.selinux", "system_u:object_r:nfs_t:s0", 
255) = 27
  listxattr("/mnt/nfs/file", 0x7ffd58023810, 152) = -1 EACCES (Permission 
denied)
  ls: /mnt/nfs/file: Permission denied
  --w-------. 1 padraig padraig 0 Jan  8 20:42 /mnt/nfs/file
  +++ exited with 0 +++

So perhaps we should also always call lgetxattr("security.selinux"),
or at least fall back to that upon EACCES from listxattr() ?

cheers,
Pádraig



Reply via email to