From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter Staubach Subject: Re: [PATCH 1/3] VFS: Fix access("file", X_OK) in the presence of ACLs Date: Thu, 13 Jul 2006 09:59:54 -0400 Message-ID: <44B651DA.2020308@redhat.com> References: <20060712175006.7413.91738.stgit@lade.trondhjem.org> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: linux-fsdevel@vger.kernel.org, akpm@osdl.org Return-path: Received: from mx1.redhat.com ([66.187.233.31]:55000 "EHLO mx1.redhat.com") by vger.kernel.org with ESMTP id S1751497AbWGMOAK (ORCPT ); Thu, 13 Jul 2006 10:00:10 -0400 To: Trond Myklebust In-Reply-To: <20060712175006.7413.91738.stgit@lade.trondhjem.org> Sender: linux-fsdevel-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org Trond Myklebust wrote: >From: Trond Myklebust > >Currently, the access() call will return incorrect information on NFS if >there exists an ACL that grants execute access to the user on a regular >file. The reason the information is incorrect is that the VFS overrides >this execute access in open_exec() by checking (inode->i_mode & 0111). > >This patch propagates the VFS execute bit check back into the generic >permission() call. > >Signed-off-by: Trond Myklebust >--- > > fs/namei.c | 9 ++++++++- > 1 files changed, 8 insertions(+), 1 deletions(-) > >diff --git a/fs/namei.c b/fs/namei.c >index 664b4a5..08cc418 100644 >--- a/fs/namei.c >+++ b/fs/namei.c >@@ -227,10 +227,10 @@ int generic_permission(struct inode *ino > > int permission(struct inode *inode, int mask, struct nameidata *nd) > { >+ umode_t mode = inode->i_mode; > int retval, submask; > > if (mask & MAY_WRITE) { >- umode_t mode = inode->i_mode; > > /* > * Nobody gets write access to a read-only fs. >@@ -247,6 +247,13 @@ int permission(struct inode *inode, int > } > > >+ /* >+ * MAY_EXEC on regular files requires special handling: We override >+ * filesystem execute permissions if the mode bits aren't set. >+ */ >+ if ((mask & MAY_EXEC) && S_ISREG(mode) && !(mode & S_IXUGO)) >+ return -EACCES; >+ > /* Ordinary permission routines do not understand MAY_APPEND. */ > submask = mask & ~MAY_APPEND; > if (inode->i_op && inode->i_op->permission) >- > > Does this imply that some of the code in places like generic_permission(), fuse_permission(), and xfs_iaccess() can be cleaned up too? They contain code which appears to check to ensure that an exec bit is on before allowing an override. Thanx... ps