From: "xuyang2018.jy@fujitsu.com" <xuyang2018.jy@fujitsu.com>
To: Dave Chinner <david@fromorbit.com>
Cc: "linux-xfs@vger.kernel.org" <linux-xfs@vger.kernel.org>,
"djwong@kernel.org" <djwong@kernel.org>,
"pvorel@suse.cz" <pvorel@suse.cz>
Subject: Re: [RFC RESEND] xfs: fix up non-directory creation in SGID directories when umask S_IXGRP
Date: Wed, 23 Mar 2022 07:18:59 +0000 [thread overview]
Message-ID: <623ACA1C.9050203@fujitsu.com> (raw)
In-Reply-To: <20220322092322.GO1544202@dread.disaster.area>
on 2022/3/22 17:23, Dave Chinner wrote:
> On Tue, Mar 22, 2022 at 07:43:20PM +1100, Dave Chinner wrote:
>> On Tue, Mar 22, 2022 at 04:04:17PM +0800, Yang Xu wrote:
>>> Petr reported a problem that S_ISGID bit was not clean when testing ltp
>>> case create09[1] by using umask(077).
>>
>> Ok. So what is the failure message from the test?
>>
>> When did the test start failing? Is this a recent failure or
>> something that has been around for years? If it's recent, what
>> commit broke it?
>
> Ok, I went and looked at the test, and it confirmed my suspicion. I
> can't find the patch that introduced this change on lore.kernel.org.
> Looks like one of those silent security fixes that nobody gets told
> about, gets no real review, has no test cases written for it, etc.
>
> And nobody wrote a test for until August 2021 and that's when people
> started to notice broken filesystems.
>
> This is the commit that failed to fix several filesystems:
>
> commit 0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7
> Author: Linus Torvalds<torvalds@linux-foundation.org>
> Date: Tue Jul 3 17:10:19 2018 -0700
>
> Fix up non-directory creation in SGID directories
>
> sgid directories have special semantics, making newly created files in
> the directory belong to the group of the directory, and newly created
> subdirectories will also become sgid. This is historically used for
> group-shared directories.
>
> But group directories writable by non-group members should not imply
> that such non-group members can magically join the group, so make sure
> to clear the sgid bit on non-directories for non-members (but remember
> that sgid without group execute means "mandatory locking", just to
> confuse things even more).
>
> Reported-by: Jann Horn<jannh@google.com>
> Cc: Andy Lutomirski<luto@kernel.org>
> Cc: Al Viro<viro@zeniv.linux.org.uk>
> Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org>
>
> diff --git a/fs/inode.c b/fs/inode.c
> index 2c300e981796..8c86c809ca17 100644
> --- a/fs/inode.c
> +++ b/fs/inode.c
> @@ -1999,8 +1999,14 @@ void inode_init_owner(struct inode *inode, const struct inode *dir,
> inode->i_uid = current_fsuid();
> if (dir&& dir->i_mode& S_ISGID) {
> inode->i_gid = dir->i_gid;
> +
> + /* Directories are special, and always inherit S_ISGID */
> if (S_ISDIR(mode))
> mode |= S_ISGID;
> + else if ((mode& (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)&&
> + !in_group_p(inode->i_gid)&&
> + !capable_wrt_inode_uidgid(dir, CAP_FSETID))
> + mode&= ~S_ISGID;
> } else
> inode->i_gid = current_fsgid();
> inode->i_mode = mode;
>
> The problem is it takes away mode bits that the VFS passed to us
> deep in the VFS inode initialisation done during on-disk inode
> initialisation, and it's hidden well away from sight of the
> filesystems.
>
> Oh, what a mess - this in_group_p()&& capable_wrt_inode_uidgid()
> check is splattered all over filesystems in random places to clear
> SGID bits. e.g ceph_finish_async_create() is an open coded
> inode_init_owner() call. There's special case
> code in fuse_set_acl() to clear SGID. There's a special case in
> ovl_posix_acl_xattr_set() for ACL xattrs to clear SGID. And so on.
>
> No consistency anywhere - shouldn't the VFS just be stripping the
> SGID bit before it passes the mode down to filesystems? It has all
> the info it needs - it doesn't need the filesystems to do everything
> correctly with the mode and ensuring that they order things like
> posix acl setup functions correctly with inode_init_owner() to strip
> the SGID bit...
>
> Just strip the SGID bit at the VFS, and then the filesystems can't
> get it wrong...
Thanks for your reply.
Sound reasonable, but I am not sure I have the ability to do this.
Will try ...
Best Regards
Yang Xu
>
> Cheers,
>
> Dave.
next prev parent reply other threads:[~2022-03-23 7:20 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-22 8:04 [RFC RESEND] xfs: fix up non-directory creation in SGID directories when umask S_IXGRP Yang Xu
2022-03-22 8:43 ` Dave Chinner
2022-03-22 9:23 ` Dave Chinner
2022-03-23 7:18 ` xuyang2018.jy [this message]
2022-03-22 9:42 ` xuyang2018.jy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=623ACA1C.9050203@fujitsu.com \
--to=xuyang2018.jy@fujitsu.com \
--cc=david@fromorbit.com \
--cc=djwong@kernel.org \
--cc=linux-xfs@vger.kernel.org \
--cc=pvorel@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.