Details
Major Description
The permissions of CachePool incorrectly checked. The checking logic:
public void checkPermission(CachePool pool, FsAction access) throws AccessControlException { FsPermission mode = pool.getMode(); if (isSuperUser()) { return; } if (getUser().equals(pool.getOwnerName()) && mode.getUserAction().implies(access)) { return; } if (isMemberOfGroup(pool.getGroupName()) && mode.getGroupAction().implies(access)) { return; } // Following line seems incorrect, // we should ensure current user is not belong the pool's owner or pool's group. if (mode.getOtherAction().implies(access)) { return; } throw new AccessControlException("Permission denied while accessing pool " + pool.getPoolName() + ": user " + getUser() + " does not have " + access.toString() + " permissions."); }
For example one corner case, a cachepool (owner: test, group,test-group, permission mode:------rwx(007)), then one user which named "test" or whose group is "test-group" can both access this pool. But actually this is not allowed since permission for its owner or group is none.
The behavior of checking other user should be updated like this:
if (!getUser().equals(pool.getOwnerName())
&& !isMemberOfGroup(pool.getGroupName())
&& mode.getOtherAction().implies(access)) {
return;
}