From: Jan Kara <jack@suse.cz>
To: Max Kellermann <max.kellermann@ionos.com>
Cc: Jan Kara <jack@suse.cz>, Xiubo Li <xiubli@redhat.com>,
Ilya Dryomov <idryomov@gmail.com>,
Jeff Layton <jlayton@kernel.org>, Jan Kara <jack@suse.com>,
Dave Kleikamp <shaggy@kernel.org>,
ceph-devel@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-ext4@vger.kernel.org, jfs-discussion@lists.sourceforge.net,
Christian Brauner <brauner@kernel.org>,
Yang Xu <xuyang2018.jy@fujitsu.com>,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH v2] fs/{posix_acl,ext2,jfs,ceph}: apply umask if ACL support is disabled
Date: Wed, 11 Oct 2023 14:06:55 +0200 [thread overview]
Message-ID: <20231011120655.ndb7bfasptjym3wl@quack3> (raw)
In-Reply-To: <CAKPOu+_xdFALt9sgdd5w66Ab6KTqiy8+Z0Yd3Ss4+92jh8nCwg@mail.gmail.com>
On Wed 11-10-23 12:51:12, Max Kellermann wrote:
> On Wed, Oct 11, 2023 at 12:05 PM Jan Kara <jack@suse.cz> wrote:
> > So I've checked some more and the kernel doc comments before
> > mode_strip_umask() and vfs_prepare_mode() make it pretty obvious - all
> > paths creating new inodes must be calling vfs_prepare_mode(). As a result
> > mode_strip_umask() which handles umask stripping for filesystems not
> > supporting posix ACLs. For filesystems that do support ACLs,
> > posix_acl_create() must be call and that handles umask stripping. So your
> > fix should not be needed. CCed some relevant people for confirmation.
>
> Thanks, Jan. Do you think the documentation is obvious enough, or
> shall I look around and try to improve the documentation? I'm not a FS
> expert, so it may be just my fault that it confused me.... I just
> analyzed the O_TMPFILE vulnerability four years ago (because it was
> reported to me as the maintainer of a userspace software).
>
> Apart from my doubts that this API contract is too error prone, I'm
> not quite sure if all filesystems really implement it properly.
>
> For example, overlayfs unconditionally sets SB_POSIXACL, even if the
> kernel has no ACL support. Would this ignore the umask? I'm not sure,
> overlayfs is a special beast.
> Then there's orangefs which allows setting the "acl" mount option (and
> thus SB_POSIXACL) even if the kernel has no ACL support. Same for gfs2
> and maybe cifs, maybe more, I didn't check them all.
Indeed, *that* looks like a bug. Good spotting! I'd say posix_acl_create()
defined in include/linux/posix_acl.h for the !CONFIG_FS_POSIX_ACL case
should be stripping mode using umask. Care to send a patch for this?
> The "mainstream" filesystems like ext4 seem to be implemented
> properly, though this is still too fragile for my taste... ext4 has
> the SB_POSIXACL code even if there's no kernel ACL support, but it is
> not reachable because EXT4_MOUNT_POSIX_ACL cannot be set from
> userspace in that case. The code looks suspicious, but is okay in the
> end - still not my taste.
>
> I see so much redundant code regarding the "acl" mount option in all
> filesystems. I believe the API should be designed in a way that it is
> safe-by-default, and shouldn't need very careful considerations in
> each and every filesystem, or else all filesystems repeat the same
> mistakes until the last one gets fixed.
So I definitely agree that we should handle as many things as possible in
VFS without relying on filesystems to get it right. Thus I agree VFS should
do the right thing even if the filesystem sets SB_POSIXACl when
!CONFIG_FS_POSIX_ACL.
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
next prev parent reply other threads:[~2023-10-11 12:07 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-19 8:18 [PATCH] fs: apply umask if POSIX ACL support is disabled Max Kellermann
2023-09-21 0:51 ` Xiubo Li
2023-10-03 15:32 ` Dave Kleikamp
2023-10-07 1:19 ` Xiubo Li
2023-10-09 14:43 ` [PATCH v2] fs/{posix_acl,ext2,jfs,ceph}: apply umask if " Max Kellermann
2023-10-09 16:49 ` Dave Kleikamp
2023-10-10 13:11 ` Jan Kara
2023-10-10 13:17 ` Max Kellermann
2023-10-11 10:05 ` Jan Kara
2023-10-11 10:51 ` Max Kellermann
2023-10-11 12:06 ` Jan Kara [this message]
2023-10-11 12:18 ` Max Kellermann
2023-10-11 12:27 ` Jan Kara
2023-10-11 12:27 ` Max Kellermann
2023-10-11 13:59 ` Jan Kara
2023-10-11 15:27 ` Christian Brauner
2023-10-11 16:29 ` Jan Kara
2023-10-12 9:22 ` Christian Brauner
2023-10-12 9:41 ` Jan Kara
2023-10-11 17:00 ` Theodore Ts'o
2023-10-11 17:26 ` Jan Kara
2023-10-12 14:29 ` Theodore Ts'o
2023-10-12 14:42 ` Jan Kara
2024-03-13 20:40 ` Michael Forney
2024-03-14 13:08 ` Max Kellermann
2024-03-15 13:52 ` Christian Brauner
2023-10-09 14:45 ` [PATCH] fs: apply umask if POSIX " Max Kellermann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231011120655.ndb7bfasptjym3wl@quack3 \
--to=jack@suse.cz \
--cc=brauner@kernel.org \
--cc=ceph-devel@vger.kernel.org \
--cc=idryomov@gmail.com \
--cc=jack@suse.com \
--cc=jfs-discussion@lists.sourceforge.net \
--cc=jlayton@kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=max.kellermann@ionos.com \
--cc=shaggy@kernel.org \
--cc=xiubli@redhat.com \
--cc=xuyang2018.jy@fujitsu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox