From: "xuyang2018.jy@fujitsu.com" <xuyang2018.jy@fujitsu.com>
To: Dave Chinner <david@fromorbit.com>
Cc: "linux-xfs@vger.kernel.org" <linux-xfs@vger.kernel.org>,
"djwong@kernel.org" <djwong@kernel.org>,
"pvorel@suse.cz" <pvorel@suse.cz>
Subject: Re: [RFC RESEND] xfs: fix up non-directory creation in SGID directories when umask S_IXGRP
Date: Wed, 23 Mar 2022 07:18:59 +0000 [thread overview]
Message-ID: <623ACA1C.9050203@fujitsu.com> (raw)
In-Reply-To: <20220322092322.GO1544202@dread.disaster.area>
on 2022/3/22 17:23, Dave Chinner wrote:
> On Tue, Mar 22, 2022 at 07:43:20PM +1100, Dave Chinner wrote:
>> On Tue, Mar 22, 2022 at 04:04:17PM +0800, Yang Xu wrote:
>>> Petr reported a problem that S_ISGID bit was not clean when testing ltp
>>> case create09[1] by using umask(077).
>>
>> Ok. So what is the failure message from the test?
>>
>> When did the test start failing? Is this a recent failure or
>> something that has been around for years? If it's recent, what
>> commit broke it?
>
> Ok, I went and looked at the test, and it confirmed my suspicion. I
> can't find the patch that introduced this change on lore.kernel.org.
> Looks like one of those silent security fixes that nobody gets told
> about, gets no real review, has no test cases written for it, etc.
>
> And nobody wrote a test for until August 2021 and that's when people
> started to notice broken filesystems.
>
> This is the commit that failed to fix several filesystems:
>
> commit 0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7
> Author: Linus Torvalds<torvalds@linux-foundation.org>
> Date: Tue Jul 3 17:10:19 2018 -0700
>
> Fix up non-directory creation in SGID directories
>
> sgid directories have special semantics, making newly created files in
> the directory belong to the group of the directory, and newly created
> subdirectories will also become sgid. This is historically used for
> group-shared directories.
>
> But group directories writable by non-group members should not imply
> that such non-group members can magically join the group, so make sure
> to clear the sgid bit on non-directories for non-members (but remember
> that sgid without group execute means "mandatory locking", just to
> confuse things even more).
>
> Reported-by: Jann Horn<jannh@google.com>
> Cc: Andy Lutomirski<luto@kernel.org>
> Cc: Al Viro<viro@zeniv.linux.org.uk>
> Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org>
>
> diff --git a/fs/inode.c b/fs/inode.c
> index 2c300e981796..8c86c809ca17 100644
> --- a/fs/inode.c
> +++ b/fs/inode.c
> @@ -1999,8 +1999,14 @@ void inode_init_owner(struct inode *inode, const struct inode *dir,
> inode->i_uid = current_fsuid();
> if (dir&& dir->i_mode& S_ISGID) {
> inode->i_gid = dir->i_gid;
> +
> + /* Directories are special, and always inherit S_ISGID */
> if (S_ISDIR(mode))
> mode |= S_ISGID;
> + else if ((mode& (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)&&
> + !in_group_p(inode->i_gid)&&
> + !capable_wrt_inode_uidgid(dir, CAP_FSETID))
> + mode&= ~S_ISGID;
> } else
> inode->i_gid = current_fsgid();
> inode->i_mode = mode;
>
> The problem is it takes away mode bits that the VFS passed to us
> deep in the VFS inode initialisation done during on-disk inode
> initialisation, and it's hidden well away from sight of the
> filesystems.
>
> Oh, what a mess - this in_group_p()&& capable_wrt_inode_uidgid()
> check is splattered all over filesystems in random places to clear
> SGID bits. e.g ceph_finish_async_create() is an open coded
> inode_init_owner() call. There's special case
> code in fuse_set_acl() to clear SGID. There's a special case in
> ovl_posix_acl_xattr_set() for ACL xattrs to clear SGID. And so on.
>
> No consistency anywhere - shouldn't the VFS just be stripping the
> SGID bit before it passes the mode down to filesystems? It has all
> the info it needs - it doesn't need the filesystems to do everything
> correctly with the mode and ensuring that they order things like
> posix acl setup functions correctly with inode_init_owner() to strip
> the SGID bit...
>
> Just strip the SGID bit at the VFS, and then the filesystems can't
> get it wrong...
Thanks for your reply.
Sound reasonable, but I am not sure I have the ability to do this.
Will try ...
Best Regards
Yang Xu
>
> Cheers,
>
> Dave.
next prev parent reply other threads:[~2022-03-23 7:20 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-22 8:04 [RFC RESEND] xfs: fix up non-directory creation in SGID directories when umask S_IXGRP Yang Xu
2022-03-22 8:43 ` Dave Chinner
2022-03-22 9:23 ` Dave Chinner
2022-03-23 7:18 ` xuyang2018.jy [this message]
2022-03-22 9:42 ` xuyang2018.jy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=623ACA1C.9050203@fujitsu.com \
--to=xuyang2018.jy@fujitsu.com \
--cc=david@fromorbit.com \
--cc=djwong@kernel.org \
--cc=linux-xfs@vger.kernel.org \
--cc=pvorel@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox