From: Jeffrey E Altman <jaltman@auristor.com>
To: David Howells <dhowells@redhat.com>,
Christian Brauner <brauner@kernel.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
Etienne Champetier <champetier.etienne@gmail.com>,
Marc Dionne <marc.dionne@auristor.com>,
Chet Ramey <chet.ramey@case.edu>,
Steve French <sfrench@samba.org>,
linux-afs@lists.infradead.org, openafs-devel@openafs.org,
linux-cifs@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] afs, bash: Fix open(O_CREAT) on an extant AFS file in a sticky dir
Date: Tue, 13 May 2025 11:44:51 -0400 [thread overview]
Message-ID: <0583de50-1acd-4b61-911b-b1e9ed9a843e@auristor.com> (raw)
In-Reply-To: <2164801.1747125039@warthog.procyon.org.uk>
[-- Attachment #1: Type: text/plain, Size: 5222 bytes --]
I performed a review of the usage of vfsuid_eq_kuid() and vfsuid_eq().
I mostly agree with David's conclusions and add some additional insight
into the behavior of AFS servers.
On 5/13/2025 4:30 AM, David Howells wrote:
> Christian Brauner <brauner@kernel.org> wrote:
>
>> There's a few other places where we compare vfsuids:
>>
>> * may_delete()
>> -> check_sticky()
>> -> __check_sticky()
>>
>> * may_follow_link()
>>
>> * may_linkat()
>>
>> * fsuidgid_has_mapping()
>>
>> Anyone of those need special treatment on AFS as well?
> That's a good question. I think it might be better to switch back to the v1
> patch - which gives me two separate ops and provide a couple of vfs wrappers
> for them and use them more widely.
>
> So, perhaps:
>
> vfs_have_same_owner(inode1, inode2)
>
> which indicates if the two inodes have the same ownership and:
>
> vfs_is_owned_by_me(inode)
>
> which compares the inode's ownership to current_fsuid() by default.
The use of two distinct inode operations make the most sense to me. An
alternative is to provide one inode operation which sets two boolean
output parameters:
int (*check_ownership)(struct inode *const inode, struct inode *const
parent,int *is_owned_by_me, int *is_owned_by_parent); where
'is_owned_by_me' or 'is_owned_by_parent' might be NULL if the answer is
not required. However, I prefer David's suggestion.
> The following places need to be considered for being changed:
>
> (*) chown_ok()
> (*) chgrp_ok()
>
> Should call vfs_is_owned_by_me(). Possibly these need to defer all their
> checks to the network filesystem as the interpretation of the target
> UID/GID depends on the netfs.
Since the late 1980s, afs servers do not permit changes to owner or
group on files unless the caller is a member of the
system:administrators group. The file system clients cannot make this
determination themselves. If Linux wishes to further restrict the
operation to current owner, then use of a vfs_is_owned_by_me() like
inode operation should be used.
Something to consider for future AFS3 or YFS protocol changes is to
report the right to chown|chgrp to the client as part of a the
FetchStatus result set.
> (*) do_coredump()
>
> Should probably call vfs_is_owned_by_me() to check that the file created
> is owned by the caller - but the check that's there might be sufficient.
I agree.
> (*) inode_owner_or_capable()
>
> Should call vfs_is_owned_by_me().
I agree.
> I'm not sure whether the namespace
> mapping makes sense in such a case, but it probably could be used.
>
> (*) vfs_setlease()
>
> Should call vfs_is_owned_by_me(). Actually, it should query if leasing
> is permitted.
>
> Also, setting locks could perhaps do with a permission call to the
> filesystem driver as AFS, for example, has a lock permission bit in the
> ACL, but since the AFS server checks that when the RPC call is made, it's
> probably unnecessary.
The AFS server will grant locks based upon the following rules:
* the caller is granted the PRSFS_LOCK right (Shared lock only)
* the caller is granted the PRSFS_WRITE right (Shared or Exclusive lock)
* the caller is the file owner and is granted the PRSFS_INSERT right
(Shared or Exclusive lock)
The client has enough information to implement a lock permission check
if there was such an inode operation.
> (*) acl_permission_check()
> (*) posix_acl_permission()
>
> UIDs are part of these ACLs, so no change required. AFS implements its
> own ACLs and evaluates them in ->permission() and on the server.
acl_permission_check() and posix_acl_permission() will not be called for
AFS. However, it it probably worth adding the vfs_is_owned_by_me() to
acl_permission_check() in case there is another network filesystem which
requires non-uid ownership checks and wants to use generic_permission().
> (*) may_follow_link()
>
> Should call vfs_is_owned_by_me() and also vfs_have_same_owner() on the
> the link and its parent dir. The latter only applies on world-writable
> sticky dirs.
I agree
> (*) may_create_in_sticky()
>
> The initial subject of this patch. Should call vfs_is_owned_by_me() and
> also vfs_have_same_owner() both.
I agree.
> (*) __check_sticky()
>
> Should call vfs_is_owned_by_me() on both the dir and the inode.
I agree.
> (*) may_dedupe_file()
>
> Should call vfs_is_owned_by_me().
I agree.
>
> (*) IMA policy ops.
>
> No idea.
I am not familiar with the Integrity Measurement Operations. However,
looking at the usage of the ima_rule_entry fowner_op and fgroup_op
operations, I do not believe the proposed vfs_is_owned_by_me() could be
used to implement fowner_op. If IMA should work filesystems which
cannot rely upon local uid comparisons for owner and group, then I think
the IMA fowner_op and fgroup_op would require an alternative
implementation. At the moment, IMA is unlikely to work properly with AFS.
> David
Jeffrey Altman
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4276 bytes --]
prev parent reply other threads:[~2025-05-13 15:52 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-29 16:37 [PATCH] afs, bash: Fix open(O_CREAT) on an extant AFS file in a sticky dir David Howells
2025-04-29 17:35 ` Jeffrey E Altman
2025-04-30 15:09 ` Chet Ramey
2025-04-30 16:14 ` David Howells
2025-04-30 17:26 ` Jeffrey E Altman
2025-04-30 18:36 ` Chet Ramey
2025-05-05 13:14 ` Christian Brauner
[not found] ` <CAOdf3grbDQ-Fh2bV7XfoYvVBhgBAh7-hZyyxTNt1RfGekrA-nA@mail.gmail.com>
2025-05-05 14:42 ` Jeffrey E Altman
2025-05-14 12:50 ` Chet Ramey
2025-05-14 12:49 ` Chet Ramey
2025-05-06 10:26 ` David Howells
2025-05-09 10:33 ` Christian Brauner
2025-05-12 13:02 ` [PATCH v2] " David Howells
2025-05-13 7:49 ` Christian Brauner
2025-05-13 8:30 ` David Howells
2025-05-13 15:44 ` Jeffrey E Altman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0583de50-1acd-4b61-911b-b1e9ed9a843e@auristor.com \
--to=jaltman@auristor.com \
--cc=brauner@kernel.org \
--cc=champetier.etienne@gmail.com \
--cc=chet.ramey@case.edu \
--cc=dhowells@redhat.com \
--cc=linux-afs@lists.infradead.org \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marc.dionne@auristor.com \
--cc=openafs-devel@openafs.org \
--cc=sfrench@samba.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).