From: Bruce Fields <bfields@fieldses.org>
To: NeilBrown <neilb@suse.com>
Cc: Nelson Elhage <nelhage@nelhage.com>,
Christoph Hellwig <hch@lst.de>,
linux-nfs@vger.kernel.org, James Brown <jbrown@easypost.com>
Subject: Re: NFSv3 may inappropriately return EPERM for fsetxattr
Date: Thu, 16 Aug 2018 13:54:52 -0400 [thread overview]
Message-ID: <20180816175452.GA4649@fieldses.org> (raw)
In-Reply-To: <87r2iz9mbc.fsf@notabene.neil.brown.name>
On Thu, Aug 16, 2018 at 10:39:35AM +1000, NeilBrown wrote:
> On Tue, Aug 14 2018, Bruce Fields wrote:
> > Honestly I'm not completely sure I understand the proposal.
>
> Ok, here is a concrete RFC proposal which should make it easier to
> understand.
> I've tested that this fixes the specific problem in that a user with a
> uid that doesn't match the file, but which the server will give
> ownership rights to, can now setacl a file.
Thanks, this makes sense to me.
I might try to split this change into a couple steps, but I'm not sure
exactly how.
Minor nits:
> From 34f8b23b224e575d5f1fa30834b247e82a854546 Mon Sep 17 00:00:00 2001
> From: NeilBrown <neilb@suse.com>
> Date: Thu, 16 Aug 2018 10:37:21 +1000
> Subject: [PATCH] VFS: introduce MAY_ACT_AS_OWNER
>
> A few places in VFS, particularly set_posix_acl(), use
> inode_owner_or_capable() to check if the caller has "owner"
> access to the inode.
> This assumes that it is valid to test inode->i_uid, which is not
> always the case. Particularly in the case of NFS it is not valid to
> us i_uid (or i_mode) for permission tests - the server needs to make
> the decision.
>
> As a result if the server is remaping uids
remapping
> (e.g. all-squash,anon_uid=1000),
> then all users should have ownership access, but most users will not
> be able to set acls.
>
> This patch moves the ownership test to inode_permission and
> i_op->permission.
> A new flag for this functions, MAY_ACT_AS_OWNER is introduced.
these functions?
> generic_permission() now handles this correctly and many
> i_op->permission functions call this function() and don't need any
> changes. A few are changed to handle MAY_ACT_AS_OWNER exactly
> as generic_permission() does, using inode_owner_or_capable().
> For these filesystems, no behavioural change should be noticed.
>
> For NFS, nfs_permission is changed to always return 0 (success) if
> MAY_ACT_AS_OWNER. For NFS, and operations which use this flag should
any operations
> @@ -2038,12 +2038,13 @@ nfsd_permission(struct svc_rqst *rqstp, struct svc_export *exp,
> * We must trust the client to do permission checking - using "ACCESS"
> * with NFSv3.
> */
> - if ((acc & NFSD_MAY_OWNER_OVERRIDE) &&
> - uid_eq(inode->i_uid, current_fsuid()))
> - return 0;
>
> /* This assumes NFSD_MAY_{READ,WRITE,EXEC} == MAY_{READ,WRITE,EXEC} */
Can we do the same for NFSD_MAY_OWNER_OVERRIDE and drop the extra "if"
statement?
> - err = inode_permission(inode, acc & (MAY_READ|MAY_WRITE|MAY_EXEC));
> + if (acc & NFSD_MAY_OWNER_OVERRIDE)
> + err = inode_permission(inode, ((acc & (MAY_READ|MAY_WRITE|MAY_EXEC))
> + | MAY_ACT_AS_OWNER));
> + else
> + err = inode_permission(inode, acc & (MAY_READ|MAY_WRITE|MAY_EXEC));
>
> /* Allow read access to binaries even when mode 111 */
> if (err == -EACCES && S_ISREG(inode->i_mode) &&
--b.
next prev parent reply other threads:[~2018-08-16 20:54 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-18 3:46 NFSv3 may inappropriately return EPERM for fsetxattr Nelson Elhage
2016-03-21 14:43 ` Christoph Hellwig
2016-03-21 15:56 ` Nelson Elhage
2018-08-10 1:29 ` NeilBrown
2018-08-10 17:00 ` Bruce Fields
2018-08-10 17:03 ` Bruce Fields
2018-08-11 22:28 ` NeilBrown
2018-08-12 13:21 ` Bruce Fields
2018-08-12 23:55 ` NeilBrown
2018-08-14 9:03 ` NeilBrown
2018-08-14 19:43 ` Bruce Fields
2018-08-14 23:49 ` NeilBrown
2018-08-16 0:39 ` NeilBrown
2018-08-16 17:54 ` Bruce Fields [this message]
2018-08-16 22:50 ` NeilBrown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180816175452.GA4649@fieldses.org \
--to=bfields@fieldses.org \
--cc=hch@lst.de \
--cc=jbrown@easypost.com \
--cc=linux-nfs@vger.kernel.org \
--cc=neilb@suse.com \
--cc=nelhage@nelhage.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).