Permission weirdness in Solaris 10

I recently upgraded our two Sun machines from Solaris 9 to Solaris 10. That is a story in itself, which I probably won't bother to tell, but one of the machines upgraded fine using lu(1M) while the other had no end of problems, and I finally upgraded it by doing a full install into a new partition and copying across the various changes we had made (e.g., NIS+ user database, NFS exports, sendmail, NTP, backups, cron, mailman, etc etc).

Anyway, it seems pretty happy now, which is good.

I was doing some testing, and I had the following behaviour:

$ cd /opt/tmp
$ mkdir test
$ rmdir test
$ mkdir test
$ rm -r test
rm: cannot determine if this is an ancestor of the current working directory
tmp
$
 

That is, I could remove a directory using rmdir but not using rm -r (this was as an unprivileged user).

I did a truss(1) and got the following:

...
lstat64("tmp", 0xFFBFF6C8)                      = 0
resolvepath("tmp", "tmp", 1024)                 = 3
getcwd("/opt/tmp", 1024)                        = 0
open64(".", O_RDONLY)                           = 3
stat64(".", 0xFFBFF1D0)                         = 0
chdir("..")                                     = 0
lstat64(".", 0xFFBFF1D0)                        = 0
chdir("..")                                     Err#13 EACCES [file_dac_search]
...
 

After doing some googling I decided it was probably a mount-related problem: /opt is a separate partition to /. Perhaps the permissions of the /opt mount point in the / partition were bad.

The visible permissions of /opt were fine:

$ ls -ald /opt
drwxr-xr-x   24 root     sys           512 May  6 16:05 /opt
$
 

But how to check and/or change the permissions of a mount point without unmounting the target? This would have meant stopping a whole heap of services that are running from /opt.

Jason suggested to use NFS to mount / by itself in some other directory and check it:

# share -F nfs -o rw=localhost,root=localhost /
# mount -F nfs -o vers=3 localhost:/ /mnt
 

The -o vers=3 is to get around some permission weirdness with NFS version 4 (the default version in Solaris 10). Perhaps I need to set NFS_MAPID_DOMAIN to something sensible (like anu.edu.au) in /etc/default/nfs.

# ls -ld /mnt/opt
drwx------   2 root     other        512 May  4 11:48 /mnt/opt
 

Sure enough, the permissions for /mnt/opt were wrong. To fix:

# chmod go+rx /mnt/opt
# umount /mnt
# unshare /

 

And everything is fine, I can now do rm -r within /opt.

How did this happen, and why didn't I notice it before? This was on the machine that was live-upgraded, so perhaps the permissions have been "wrong" for quite some time and it didn't matter in Solaris 9 (i.e., this permissions particular corner case wasn't checked by the kernel), or perhaps there is a bug in live-upgrade itself, causing mount points to get weird permissions.