From mboxrd@z Thu Jan  1 00:00:00 1970
From: Mike Kazantsev <mk.fraggod@gmail.com>
Subject: Re: POSIX CAP_DAC_READ_SEARCH doesn't bypass file read permissions?
Date: Tue, 29 Dec 2009 16:53:02 +0500
Message-ID: <20091229165302.10f80f45@malediction>
References: <20091226233012.38d67cf5@coercion>
	<20091227220610.GA19083@us.ibm.com>
	<20091229052050.GA23226@us.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Cc: "Serge E. Hallyn" <serue@us.ibm.com>
To: linux-fsdevel@vger.kernel.org
Return-path: <linux-fsdevel-owner@vger.kernel.org>
Received: from lo.gmane.org ([80.91.229.12]:43018 "EHLO lo.gmane.org"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752760AbZL2Lx1 (ORCPT <rfc822;linux-fsdevel@vger.kernel.org>);
	Tue, 29 Dec 2009 06:53:27 -0500
Received: from list by lo.gmane.org with local (Exim 4.50)
	id 1NPadg-0000lT-U6
	for linux-fsdevel@vger.kernel.org; Tue, 29 Dec 2009 12:53:24 +0100
Received: from wall.mplik.ru ([195.58.1.141])
        by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <linux-fsdevel@vger.kernel.org>; Tue, 29 Dec 2009 12:53:24 +0100
Received: from mk.fraggod by wall.mplik.ru with local (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <linux-fsdevel@vger.kernel.org>; Tue, 29 Dec 2009 12:53:24 +0100
In-Reply-To: <20091229052050.GA23226@us.ibm.com>
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

On Mon, 28 Dec 2009 23:20:50 -0600
"Serge E. Hallyn" <serue@us.ibm.com> wrote:

> Quoting Serge E. Hallyn (serue@us.ibm.com):
> > Quoting Mike Kazantsev (mk.fraggod@gmail.com):
> > > CAP_DAC_READ_SEARCH seem to be well-suited and sufficient for the
> > > task, according to docs:
> > > 
> > >   Bypass file read permission checks and directory read and
> > > execute permission checks.
> > > 
> > > 
> > > I can see it bypassing directory checks, but it fails to bypass
> > > file permission check.
> 
> Egads, I'm sorry, Mike.  I was sure that if there was any problem it
> would be in the exec_permission_lite path, that I had only checked DAC
> perms on the path.  In fact, it's the DAC perms on the actual file
> which are the problem.  I can reproduce your problem, and the
> following patch fixes it.  Please confirm.
>

Indeed it works for both 2.6.32.2 and 2.6.33-rc2, thank you.


-- 
Mike Kazantsev // fraggod.net