public inbox for linux-ext4@vger.kernel.org
 help / color / mirror / Atom feed
From: Jan Kara <jack@suse.cz>
To: Max Kellermann <max.kellermann@ionos.com>
Cc: Jan Kara <jack@suse.cz>, Xiubo Li <xiubli@redhat.com>,
	Ilya Dryomov <idryomov@gmail.com>,
	Jeff Layton <jlayton@kernel.org>, Jan Kara <jack@suse.com>,
	Dave Kleikamp <shaggy@kernel.org>,
	ceph-devel@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-ext4@vger.kernel.org, jfs-discussion@lists.sourceforge.net,
	Christian Brauner <brauner@kernel.org>,
	fdevel@quack3, Yang Xu <xuyang2018.jy@fujitsu.com>
Subject: Re: [PATCH v2] fs/{posix_acl,ext2,jfs,ceph}: apply umask if ACL support is disabled
Date: Wed, 11 Oct 2023 12:05:41 +0200	[thread overview]
Message-ID: <20231011100541.sfn3prgtmp7hk2oj@quack3> (raw)
In-Reply-To: <CAKPOu+-nC2bQTZYL0XTzJL6Tx4Pi1gLfNWCjU2Qz1f_5CbJc1w@mail.gmail.com>

On Tue 10-10-23 15:17:17, Max Kellermann wrote:
> On Tue, Oct 10, 2023 at 3:11 PM Jan Kara <jack@suse.cz> wrote:
> > Thanks for the updated changelog! But as I'm looking into VFS code isn't
> > this already handled by mode_strip_umask() / vfs_prepare_mode() in
> > fs/namei.c? Because posix_acl_create() doesn't do anything to 'mode' for
> > !IS_POSIXACL() filesystems either. So at least ext2 (where I've checked
> > the mount option handling) does seem to have umask properly applied in all
> > the cases. But I might be missing something...
> 
> I'm not sure either. I was hoping the VFS experts could tell something
> about how this API is supposed to be used and whose responsibility it
> is to apply the umask. There used to be some confusion in the code, to
> the point it was missing completely for O_TMPFILE. I'm still somewhat
> confused. Maybe this is a chance to clear this confusion up and then
> document it?

So I've checked some more and the kernel doc comments before
mode_strip_umask() and vfs_prepare_mode() make it pretty obvious - all
paths creating new inodes must be calling vfs_prepare_mode(). As a result
mode_strip_umask() which handles umask stripping for filesystems not
supporting posix ACLs. For filesystems that do support ACLs,
posix_acl_create() must be call and that handles umask stripping. So your
fix should not be needed. CCed some relevant people for confirmation.

> I wish there was one central place to apply the umask, and not spread
> it around two (or more?) different code locations, depending on
> whether there's an ACL. For my taste, that sort of policy is too error
> prone for something as sensitive as umasks. After we already had the
> O_TMPFILE vulnerability (which was only fixed last year, three
> years(!) after I reported it).

I agree having umask stripping in two places is not great but it's
difficult to avoid with how posix ACLs are implemented and intertwined in
various filesystem implementations. At least the current design made it
quite a bit harder to forget to strip the umask.

								Honza
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR

  reply	other threads:[~2023-10-11 10:05 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-09-19  8:18 [PATCH] fs: apply umask if POSIX ACL support is disabled Max Kellermann
2023-09-21  0:51 ` Xiubo Li
2023-10-03 15:32 ` Dave Kleikamp
2023-10-07  1:19   ` Xiubo Li
2023-10-09 14:43   ` [PATCH v2] fs/{posix_acl,ext2,jfs,ceph}: apply umask if " Max Kellermann
2023-10-09 16:49     ` Dave Kleikamp
2023-10-10 13:11     ` Jan Kara
2023-10-10 13:17       ` Max Kellermann
2023-10-11 10:05         ` Jan Kara [this message]
2023-10-11 10:51           ` Max Kellermann
2023-10-11 12:06             ` Jan Kara
2023-10-11 12:18               ` Max Kellermann
2023-10-11 12:27                 ` Jan Kara
2023-10-11 12:27                 ` Max Kellermann
2023-10-11 13:59                   ` Jan Kara
2023-10-11 15:27                     ` Christian Brauner
2023-10-11 16:29                       ` Jan Kara
2023-10-12  9:22                         ` Christian Brauner
2023-10-12  9:41                           ` Jan Kara
2023-10-11 17:00                       ` Theodore Ts'o
2023-10-11 17:26                         ` Jan Kara
2023-10-12 14:29                           ` Theodore Ts'o
2023-10-12 14:42                             ` Jan Kara
2024-03-13 20:40                               ` Michael Forney
2024-03-14 13:08                                 ` Max Kellermann
2024-03-15 13:52                                   ` Christian Brauner
2023-10-09 14:45   ` [PATCH] fs: apply umask if POSIX " Max Kellermann

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20231011100541.sfn3prgtmp7hk2oj@quack3 \
    --to=jack@suse.cz \
    --cc=brauner@kernel.org \
    --cc=ceph-devel@vger.kernel.org \
    --cc=fdevel@quack3 \
    --cc=idryomov@gmail.com \
    --cc=jack@suse.com \
    --cc=jfs-discussion@lists.sourceforge.net \
    --cc=jlayton@kernel.org \
    --cc=linux-ext4@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=max.kellermann@ionos.com \
    --cc=shaggy@kernel.org \
    --cc=xiubli@redhat.com \
    --cc=xuyang2018.jy@fujitsu.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox