Re: [PATCH] nfs: do not deny execute access based on outdated mode in inode

linux-nfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Donald Buczek <buczek@molgen.mpg.de>
To: Trond Myklebust <trond.myklebust@primarydata.com>
Cc: Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
	Anna Schumaker <anna.schumaker@netapp.com>
Subject: Re: [PATCH] nfs: do not deny execute access based on outdated mode in inode
Date: Sun, 27 Dec 2015 00:58:31 +0100	[thread overview]
Message-ID: <567F29A7.2020906@molgen.mpg.de> (raw)
In-Reply-To: <CAHQdGtSCn4bbx4xiyE7FXmWk3SCY81mvWLJz_1VDow9YtB5VgA@mail.gmail.com>

On 26.12.2015 19:36, Trond Myklebust wrote:
> On Fri, Dec 25, 2015 at 7:30 AM, Donald Buczek <buczek@molgen.mpg.de> wrote:
>> This patch fixes a problem, that a nfs4 client incorrectly denies
>> execute access based on outdated file mode (missing 'x' bit).
>> After the mode on the server is 'fixed' (chmod +x) further execution
>> attempts continue to fail, because the nfs ACCESS call updates
>> the access parameter but not the mode parameter or the mode in
>> the inode.
>>
>> The access check based on the file mode is not required, because
>> the server already verified the clients rights.
>>
>> Remove the test.
>>
>> Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=109771
>> Signed-off-by: Donald Buczek <buczek@molgen.mpg.de>
>> ---
>>   fs/nfs/dir.c | 3 ---
>>   1 file changed, 3 deletions(-)
>>
>> diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
>> index ce5a218..ffc25b0 100644
>> --- a/fs/nfs/dir.c
>> +++ b/fs/nfs/dir.c
>> @@ -2481,9 +2481,6 @@ force_lookup:
>>                          res = PTR_ERR(cred);
>>          }
>>   out:
>> -       if (!res && (mask & MAY_EXEC) && !execute_ok(inode))
>> -               res = -EACCES;
>> -
>>          dfprintk(VFS, "NFS: permission(%s/%lu), mask=0x%x, res=%d\n",
>>                  inode->i_sb->s_id, inode->i_ino, mask, res);
>>          return res;
>>
> My main question here is why the client isn't picking up the changed
> mode bits here? All open() calls should be asking for the full set of
> attributes as part of the OPEN COMPOUND rpc call.
>
> Cheers
>    Trond

Its from fs/namei.c do_last() :

> finish_open_created:
>         error = may_open(&nd->path, acc_mode, open_flag);
>         if (error)
>                 goto out;
>
>         BUG_ON(*opened & FILE_OPENED); /* once it's opened, it's opened */
>         error = vfs_open(&nd->path, file, current_cred());


may_open() -> inode_permission() -> __inode_permission() -> 
do_inode_permission() ->  inode->i_op->permission() -> nfs_permission() 
first

vfs_open() -> do_dentry_open() -> inode->i_fop->open() -> 
nfs4_file_open() later


Merry Christmas

   Donald


-- 
Donald Buczek
buczek@molgen.mpg.de
Tel: +49 30 8413 1433

next prev parent reply	other threads:[~2015-12-26 23:58 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-12-25 12:30 [PATCH] nfs: do not deny execute access based on outdated mode in inode Donald Buczek
2015-12-26 18:36 ` Trond Myklebust
2015-12-26 23:58   ` Donald Buczek [this message]
2015-12-27  0:11     ` Trond Myklebust
2015-12-27  0:38       ` Al Viro
2015-12-27  1:26         ` Trond Myklebust
2015-12-27  2:28           ` Al Viro
2015-12-27  2:54             ` Trond Myklebust
2015-12-27  3:06               ` [PATCH] NFSv4: Don't perform cached access checks before we've OPENed the file Trond Myklebust
2015-12-27 12:18                 ` Donald Buczek
2015-12-27 16:23                   ` Trond Myklebust
2015-12-27 17:57                     ` Al Viro
2015-12-28 19:38                     ` [PATCH] nfs: revalidate inode before access checks Donald Buczek
2015-12-28 21:10                       ` Trond Myklebust
2015-12-29  0:40                         ` [PATCH] NFS: Ensure we revalidate attributes before using execute_ok() Trond Myklebust
2015-12-29 19:51                           ` Donald Buczek
2015-12-29 20:18                             ` Trond Myklebust
2015-12-30  0:02                               ` [PATCH] NFS: Fix attribute cache revalidation Trond Myklebust
2015-12-30 11:23                                 ` Donald Buczek
2015-12-30 14:04                                   ` Trond Myklebust

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=567F29A7.2020906@molgen.mpg.de \
    --to=buczek@molgen.mpg.de \
    --cc=anna.schumaker@netapp.com \
    --cc=linux-nfs@vger.kernel.org \
    --cc=trond.myklebust@primarydata.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).