* [PATCH] fs: Delete group check before ACL
@ 2022-11-10 12:37 Wang Boshi
0 siblings, 0 replies; only message in thread
From: Wang Boshi @ 2022-11-10 12:37 UTC (permalink / raw)
To: viro; +Cc: linux-fsdevel, linux-kernel
Skipping full file ACL checks without no Group permissions causes we
can't deny access from specific users or groups which we ban according
ACL_USER, ACL_GROUP and ACL_MASK rules, because they may pass due to
Other permissions.
Example:
date > test_file
setfacl -m u:1000:rwx,g:2000:rwx,u::rwx,g::rwx,o::rwx,m::0 test_file
capsh --groups=1000 --gid=1000 --uid=1000 -- -c "cat test_file"
capsh --groups=2000 --gid=2000 --uid=2000 -- -c "cat test_file"
Signed-off-by: Wang Boshi <wangboshi@huawei.com>
---
fs/namei.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/namei.c b/fs/namei.c
index 578c2110df02..d5772a31b5fc 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -347,7 +347,7 @@ static int acl_permission_check(struct user_namespace *mnt_userns,
}
/* Do we have ACL's? */
- if (IS_POSIXACL(inode) && (mode & S_IRWXG)) {
+ if (IS_POSIXACL(inode)) {
int error = check_acl(mnt_userns, inode, mask);
if (error != -EAGAIN)
return error;
--
2.29.2
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2022-11-10 12:37 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-11-10 12:37 [PATCH] fs: Delete group check before ACL Wang Boshi
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).