From: Peter Staubach <staubach@redhat.com>
To: Trond Myklebust <Trond.Myklebust@netapp.com>
Cc: linux-fsdevel@vger.kernel.org, akpm@osdl.org
Subject: Re: [PATCH 1/3] VFS: Fix access("file", X_OK) in the presence of ACLs
Date: Thu, 13 Jul 2006 09:59:54 -0400 [thread overview]
Message-ID: <44B651DA.2020308@redhat.com> (raw)
In-Reply-To: <20060712175006.7413.91738.stgit@lade.trondhjem.org>
Trond Myklebust wrote:
>From: Trond Myklebust <Trond.Myklebust@netapp.com>
>
>Currently, the access() call will return incorrect information on NFS if
>there exists an ACL that grants execute access to the user on a regular
>file. The reason the information is incorrect is that the VFS overrides
>this execute access in open_exec() by checking (inode->i_mode & 0111).
>
>This patch propagates the VFS execute bit check back into the generic
>permission() call.
>
>Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
>---
>
> fs/namei.c | 9 ++++++++-
> 1 files changed, 8 insertions(+), 1 deletions(-)
>
>diff --git a/fs/namei.c b/fs/namei.c
>index 664b4a5..08cc418 100644
>--- a/fs/namei.c
>+++ b/fs/namei.c
>@@ -227,10 +227,10 @@ int generic_permission(struct inode *ino
>
> int permission(struct inode *inode, int mask, struct nameidata *nd)
> {
>+ umode_t mode = inode->i_mode;
> int retval, submask;
>
> if (mask & MAY_WRITE) {
>- umode_t mode = inode->i_mode;
>
> /*
> * Nobody gets write access to a read-only fs.
>@@ -247,6 +247,13 @@ int permission(struct inode *inode, int
> }
>
>
>+ /*
>+ * MAY_EXEC on regular files requires special handling: We override
>+ * filesystem execute permissions if the mode bits aren't set.
>+ */
>+ if ((mask & MAY_EXEC) && S_ISREG(mode) && !(mode & S_IXUGO))
>+ return -EACCES;
>+
> /* Ordinary permission routines do not understand MAY_APPEND. */
> submask = mask & ~MAY_APPEND;
> if (inode->i_op && inode->i_op->permission)
>-
>
>
Does this imply that some of the code in places like generic_permission(),
fuse_permission(), and xfs_iaccess() can be cleaned up too? They contain
code which appears to check to ensure that an exec bit is on before allowing
an override.
Thanx...
ps
next prev parent reply other threads:[~2006-07-13 14:00 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-07-12 17:50 [PATCH 1/3] VFS: Fix access("file", X_OK) in the presence of ACLs Trond Myklebust
2006-07-12 17:50 ` [PATCH 2/3] VFS: Remove redundant open-coded mode bit check in prepare_binfmt() Trond Myklebust
2006-07-12 17:50 ` [PATCH 3/3] VFS: Remove redundant open-coded mode bit checks in open_exec() Trond Myklebust
2006-07-13 13:59 ` Peter Staubach [this message]
2006-07-13 14:13 ` [PATCH 1/3] VFS: Fix access("file", X_OK) in the presence of ACLs Trond Myklebust
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44B651DA.2020308@redhat.com \
--to=staubach@redhat.com \
--cc=Trond.Myklebust@netapp.com \
--cc=akpm@osdl.org \
--cc=linux-fsdevel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).