From: NeilBrown <neilb@suse.com>
To: Bruce Fields <bfields@fieldses.org>
Cc: Nelson Elhage <nelhage@nelhage.com>,
Christoph Hellwig <hch@lst.de>,
linux-nfs@vger.kernel.org, James Brown <jbrown@easypost.com>
Subject: Re: NFSv3 may inappropriately return EPERM for fsetxattr
Date: Tue, 14 Aug 2018 19:03:14 +1000 [thread overview]
Message-ID: <87ftzhb9rh.fsf@notabene.neil.brown.name> (raw)
In-Reply-To: <878t5bqgx0.fsf@notabene.neil.brown.name>
[-- Attachment #1: Type: text/plain, Size: 1705 bytes --]
On Mon, Aug 13 2018, NeilBrown wrote:
> On Sun, Aug 12 2018, Bruce Fields wrote:
>> OK, so not too important. Still, it sounds like
>> inode_owner_or_capable() is something people expect to work for any
>> filesystem, so I wonder if there's a way to do that. Or at least
>> disable it.
>
> We could add a new flag - MAY_OWN (or something) - to the flags
> recognised by inode_permission() and i_op->permission().
>
> If ->permission isn't set, inode_permission() uses
> inode_owner_or_capable().
> If it is, it gets to call that, or do whatever is appropriate.
>
> Is this flag the same as NFS_MAY_OWNER_OVERRIDE or not....??
>
Pursuing this thought...
NFSD_MAY_OWNER_OVERRIDE means "an operation is requested which
may always be performed by the owner of the file, even if they
don't have explicit permission via DAC setting."
I think this is a reasonable description of how inode_owner_or_capable()
is used. It is sometimes used on its own, where there is no permission
but that is relevant such as O_NOATIME or set_posix_acl(), or is used
as a precursor to and inode_permission() check, as in notify_change().
The biggest difference is that NFSD_MAY_OWNER_OVERRIDE does have the
"or_capable".
As nfsd drops CAP_FOWNER, and the extra test won't hurt it.
So I now think that a good solution to this problem would be to hoist
NFSD_MAY_OWNER_OVERRIDE into the VFS and change inode_permission() and
various i_op->permission functions to handle it.
All we need is a good name....
MAY_BY_OWNER ???
MAY_IF_OWNER
MAY_BE_OWNER ???
MAY_READ means "may I please read this file". The flag needs to say
"may I act as the owner of this file", so
MAY_ACT_AS_OWNER ????
Thought?
NeilBrown
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
next prev parent reply other threads:[~2018-08-14 11:49 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-18 3:46 NFSv3 may inappropriately return EPERM for fsetxattr Nelson Elhage
2016-03-21 14:43 ` Christoph Hellwig
2016-03-21 15:56 ` Nelson Elhage
2018-08-10 1:29 ` NeilBrown
2018-08-10 17:00 ` Bruce Fields
2018-08-10 17:03 ` Bruce Fields
2018-08-11 22:28 ` NeilBrown
2018-08-12 13:21 ` Bruce Fields
2018-08-12 23:55 ` NeilBrown
2018-08-14 9:03 ` NeilBrown [this message]
2018-08-14 19:43 ` Bruce Fields
2018-08-14 23:49 ` NeilBrown
2018-08-16 0:39 ` NeilBrown
2018-08-16 17:54 ` Bruce Fields
2018-08-16 22:50 ` NeilBrown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ftzhb9rh.fsf@notabene.neil.brown.name \
--to=neilb@suse.com \
--cc=bfields@fieldses.org \
--cc=hch@lst.de \
--cc=jbrown@easypost.com \
--cc=linux-nfs@vger.kernel.org \
--cc=nelhage@nelhage.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).