* [Bug 60676] New: Stat system call gives permission denied to root for links under a sticky bit
@ 2013-08-01 15:02 bugzilla-daemon
2013-08-01 15:55 ` [Bug 60676] " bugzilla-daemon
` (4 more replies)
0 siblings, 5 replies; 8+ messages in thread
From: bugzilla-daemon @ 2013-08-01 15:02 UTC (permalink / raw)
To: linux-ext4
https://bugzilla.kernel.org/show_bug.cgi?id=60676
Bug ID: 60676
Summary: Stat system call gives permission denied to root for
links under a sticky bit
Product: File System
Version: 2.5
Kernel Version: 3.5.0
Hardware: x86-64
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: ext4
Assignee: fs_ext4@kernel-bugs.osdl.org
Reporter: jck@videk.com
Regression: No
If a directory has a sticky bit set, root cannot use anything that makes the
stat system call on any of the links there.
Example:
> $ ls -ld /tmp/
> drwxrwxrwt 17 root root 4825088 Aug 1 10:50 /tmp/
> $ mkdir /tmp/testdir
> $ touch /tmp/testdir/testfile
> $ ln -s /tmp/testdir/ /tmp/testlink
> $ ls /tmp/testlink/
> testfile
> $ su
> # ls /tmp/testlink
ls: cannot access /tmp/testlink: Permission denied
> # ls /tmp/testdir
> testfile
I can see how having root blindly follow links in a sticky directory could be a
bad idea, but this goes against the behavior described by the man pages.
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug 60676] Stat system call gives permission denied to root for links under a sticky bit
2013-08-01 15:02 [Bug 60676] New: Stat system call gives permission denied to root for links under a sticky bit bugzilla-daemon
@ 2013-08-01 15:55 ` bugzilla-daemon
2013-08-01 18:19 ` bugzilla-daemon
` (3 subsequent siblings)
4 siblings, 0 replies; 8+ messages in thread
From: bugzilla-daemon @ 2013-08-01 15:55 UTC (permalink / raw)
To: linux-ext4
https://bugzilla.kernel.org/show_bug.cgi?id=60676
--- Comment #1 from Theodore Tso <tytso@mit.edu> ---
On Thu, Aug 01, 2013 at 03:02:36PM +0000, bugzilla-daemon@bugzilla.kernel.org
wrote:
>
> If a directory has a sticky bit set, root cannot use anything that makes the
> stat system call on any of the links there.
>
> Example:
> > $ ls -ld /tmp/
> > drwxrwxrwt 17 root root 4825088 Aug 1 10:50 /tmp/
> > $ mkdir /tmp/testdir
> > $ touch /tmp/testdir/testfile
> > $ ln -s /tmp/testdir/ /tmp/testlink
> > $ ls /tmp/testlink/
> > testfile
> > $ su
> > # ls /tmp/testlink
> ls: cannot access /tmp/testlink: Permission denied
> > # ls /tmp/testdir
> > testfile
Works for me:
<tytso.root@lambda> {/tmp}, level 2
509# ls -aldg /tmp
0 drwxrwxrwt 18 root 1840 Aug 1 11:10 /tmp/
<tytso.root@lambda> {/tmp}, level 2
510# stat /tmp/testdir
File: tmp/testdir'
Size: 60 Blocks: 0 IO Block: 4096 directory
Device: 12h/18d Inode: 3290419 Links: 2
Access: (0700/drwx------) Uid: (15806/ tytso) Gid: (15806/ tytso)
Access: 2013-08-01 11:10:01.141462969 -0400
Modify: 2013-08-01 11:09:53.301463057 -0400
Change: 2013-08-01 11:10:51.261462406 -0400
Birth: -
<tytso.root@lambda> {/tmp}, level 2
511# stat /tmp/testfile
File: tmp/testfile' -> stdir/testfile'
Size: 16 Blocks: 0 IO Block: 4096 symbolic link
Device: 12h/18d Inode: 3288475 Links: 1
Access: (0777/lrwxrwxrwx) Uid: (15806/ tytso) Gid: (15806/ tytso)
Access: 2013-08-01 11:10:04.701462929 -0400
Modify: 2013-08-01 11:10:03.691462941 -0400
Change: 2013-08-01 11:10:03.691462941 -0400
Birth: -
<tytso.root@lambda> {/tmp}, level 2
512# uname -a
Linux lambda 3.11.0-rc2-00261-g316da4e #50 SMP Fri Jul 26 08:41:29 EDT 2013
x86_64 GNU/Linux
<tytso.root@lambda> {/tmp}, level 2
513#
I suspect you are using SELinux? (You have a security problem. So
you install SELinux; now you have 6+ megabytes worth of problems when
you try to decipher the SELinux policy definitions. :-)
- Ted
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug 60676] Stat system call gives permission denied to root for links under a sticky bit
2013-08-01 15:02 [Bug 60676] New: Stat system call gives permission denied to root for links under a sticky bit bugzilla-daemon
2013-08-01 15:55 ` [Bug 60676] " bugzilla-daemon
@ 2013-08-01 18:19 ` bugzilla-daemon
2013-08-01 18:21 ` [Bug 60676] New: " Christoph Hellwig
` (2 subsequent siblings)
4 siblings, 0 replies; 8+ messages in thread
From: bugzilla-daemon @ 2013-08-01 18:19 UTC (permalink / raw)
To: linux-ext4
https://bugzilla.kernel.org/show_bug.cgi?id=60676
--- Comment #2 from James Kolb <jck@videk.com> ---
The stat command (stat(1)) works on the link itself (but you can't go further
down the filesystem hierarchy).
So, in my previous example, calling "stat /tmp/testlink" and "stat
/tmp/testdir/testfile" both work, but "stat /tmp/testlink/testfile" gives a
permission error if you are root:
> stat: cannot stat `/tmp/testlink/testfile': Permission denied
The glibc stat function (stat(2)) does not even work on the link itself.
I'm not using SELinux.
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Bug 60676] New: Stat system call gives permission denied to root for links under a sticky bit
2013-08-01 15:02 [Bug 60676] New: Stat system call gives permission denied to root for links under a sticky bit bugzilla-daemon
2013-08-01 15:55 ` [Bug 60676] " bugzilla-daemon
2013-08-01 18:19 ` bugzilla-daemon
@ 2013-08-01 18:21 ` Christoph Hellwig
2013-08-02 0:44 ` Theodore Ts'o
2013-08-02 0:44 ` [Bug 60676] " bugzilla-daemon
2013-08-02 14:34 ` bugzilla-daemon
4 siblings, 1 reply; 8+ messages in thread
From: Christoph Hellwig @ 2013-08-01 18:21 UTC (permalink / raw)
To: bugzilla-daemon; +Cc: linux-ext4
Try reverting 800179c9b8a1e796e441674776d11cd4c05d61d7
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Bug 60676] New: Stat system call gives permission denied to root for links under a sticky bit
2013-08-01 18:21 ` [Bug 60676] New: " Christoph Hellwig
@ 2013-08-02 0:44 ` Theodore Ts'o
0 siblings, 0 replies; 8+ messages in thread
From: Theodore Ts'o @ 2013-08-02 0:44 UTC (permalink / raw)
To: Christoph Hellwig; +Cc: bugzilla-daemon, linux-ext4
On Thu, Aug 01, 2013 at 11:21:16AM -0700, Christoph Hellwig wrote:
> Try reverting 800179c9b8a1e796e441674776d11cd4c05d61d7
Or just do:
echo 0 > /proc/sys/fs/protected_hardlinks
echo 0 > /proc/sys/fs/protected_symlinks
(or put the equivalent in /etc/sysctl.conf).
There is a **very** detailed description of the design decision behind
this change (which went in as of 3.6) in the commit description. See:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=800179c9b8a1e796e441674776d11cd4c05d61d7
In any case, it's "working as designed".
- Ted
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug 60676] Stat system call gives permission denied to root for links under a sticky bit
2013-08-01 15:02 [Bug 60676] New: Stat system call gives permission denied to root for links under a sticky bit bugzilla-daemon
` (2 preceding siblings ...)
2013-08-01 18:21 ` [Bug 60676] New: " Christoph Hellwig
@ 2013-08-02 0:44 ` bugzilla-daemon
2013-08-02 3:16 ` jon ernst
2013-08-02 14:34 ` bugzilla-daemon
4 siblings, 1 reply; 8+ messages in thread
From: bugzilla-daemon @ 2013-08-02 0:44 UTC (permalink / raw)
To: linux-ext4
https://bugzilla.kernel.org/show_bug.cgi?id=60676
--- Comment #3 from Theodore Tso <tytso@mit.edu> ---
On Thu, Aug 01, 2013 at 11:21:16AM -0700, Christoph Hellwig wrote:
> Try reverting 800179c9b8a1e796e441674776d11cd4c05d61d7
Or just do:
echo 0 > /proc/sys/fs/protected_hardlinks
echo 0 > /proc/sys/fs/protected_symlinks
(or put the equivalent in /etc/sysctl.conf).
There is a **very** detailed description of the design decision behind
this change (which went in as of 3.6) in the commit description. See:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=800179c9b8a1e796e441674776d11cd4c05d61d7
In any case, it's "working as designed".
- Ted
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Bug 60676] Stat system call gives permission denied to root for links under a sticky bit
2013-08-02 0:44 ` [Bug 60676] " bugzilla-daemon
@ 2013-08-02 3:16 ` jon ernst
0 siblings, 0 replies; 8+ messages in thread
From: jon ernst @ 2013-08-02 3:16 UTC (permalink / raw)
To: bugzilla-daemon; +Cc: linux-ext4
I checked the code. Seems like those 2 proc entries are 0 by default
in current tree. Maybe James are using kernel before that change. ()
int sysctl_protected_symlinks __read_mostly = 0;
int sysctl_protected_hardlinks __read_mostly = 0;
On Fri, Aug 2, 2013 at 12:44 AM, <bugzilla-daemon@bugzilla.kernel.org> wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=60676
>
> --- Comment #3 from Theodore Tso <tytso@mit.edu> ---
> On Thu, Aug 01, 2013 at 11:21:16AM -0700, Christoph Hellwig wrote:
>> Try reverting 800179c9b8a1e796e441674776d11cd4c05d61d7
>
> Or just do:
>
> echo 0 > /proc/sys/fs/protected_hardlinks
> echo 0 > /proc/sys/fs/protected_symlinks
>
> (or put the equivalent in /etc/sysctl.conf).
>
> There is a **very** detailed description of the design decision behind
> this change (which went in as of 3.6) in the commit description. See:
>
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=800179c9b8a1e796e441674776d11cd4c05d61d7
>
> In any case, it's "working as designed".
>
> - Ted
>
> --
> You are receiving this mail because:
> You are watching the assignee of the bug.
> --
> To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug 60676] Stat system call gives permission denied to root for links under a sticky bit
2013-08-01 15:02 [Bug 60676] New: Stat system call gives permission denied to root for links under a sticky bit bugzilla-daemon
` (3 preceding siblings ...)
2013-08-02 0:44 ` [Bug 60676] " bugzilla-daemon
@ 2013-08-02 14:34 ` bugzilla-daemon
4 siblings, 0 replies; 8+ messages in thread
From: bugzilla-daemon @ 2013-08-02 14:34 UTC (permalink / raw)
To: linux-ext4
https://bugzilla.kernel.org/show_bug.cgi?id=60676
James Kolb <jck@videk.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |INVALID
--- Comment #4 from James Kolb <jck@videk.com> ---
That makes sense. Thanks! It looks like the man pages just need to be updated.
--
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2013-08-02 14:34 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-08-01 15:02 [Bug 60676] New: Stat system call gives permission denied to root for links under a sticky bit bugzilla-daemon
2013-08-01 15:55 ` [Bug 60676] " bugzilla-daemon
2013-08-01 18:19 ` bugzilla-daemon
2013-08-01 18:21 ` [Bug 60676] New: " Christoph Hellwig
2013-08-02 0:44 ` Theodore Ts'o
2013-08-02 0:44 ` [Bug 60676] " bugzilla-daemon
2013-08-02 3:16 ` jon ernst
2013-08-02 14:34 ` bugzilla-daemon
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).