From: Steve French <smfrench@austin.rr.com>
To: Trond Myklebust <trond.myklebust@fys.uio.no>,
linux-kernel@vger.kernel.org
Subject: Re: inode_change_ok
Date: Mon, 28 Nov 2005 15:05:15 -0600 [thread overview]
Message-ID: <438B710B.8090509@austin.rr.com> (raw)
In-Reply-To: <1133205191.27574.83.camel@lade.trondhjem.org>
Trond Myklebust wrote:
>CAP_CHOWN would therefore only be useful in the corner case where the
>server is allowing full root privileges to a client, and where the
>client is using capabilities to limit the root account's (or a setuid
>processes') ability to exercise those full privileges.
>
>Cheers,
> Trond
>
>
>
>
It sounds like I do need to make the change to cifs to add the optional
(based on the mount parm the admin can choose which model) call to
inode_change_ok to make the permissions check consistent when "noperm"
is not enabled on that mount , but I was trying to figure out how
important that change to the cifs code was and whether it was a priority
to get in. I realize that this corner case is far less common in the
wild for nfs. The corner case you describe above did seem to come up
today for cifs though (where the admin had in effect, trusted the
client, and allowed the client to mount as root with full root priv on
the server - I can imagine this being valid in their particular case,
with a trusted client os, over a trusted lan, but obviously would not be
the most common scenario). Obviously they did not turn on
multiusermount in /proc/fs/cifs (ie the ability to send different uids
on the wire depending on the uid of the client calling process) so the
only perm check that would be useful that was occuring at the client the
way they had chosen to configure/mount was happening in
generic_permission in the client. In their particular configuration
open and other paths in the vfs that call permission behaved fine and
the permission checks worked as expected - but chown always worked
(which is of course wrong) since the vfs does not call permission but
expects the vfs (if at all) to call inode_change_ok - so open failing,
but chown working was confusing to them.
Of course it does not make it much easier trying to compare with other
filesystems - ncpfs does seem to call both (generic_permission
inode_change_ok) and but the afs model (openafs) is far more complicated
and somewhat confusing (and interestingly afs does not call
generic_permission but does call inode_change_ok) so it is not really
possible to draw too many conclusions for how afs approached the same
two usage models (apparently afs also had a third usage model based on
machine address)
prev parent reply other threads:[~2005-11-28 20:08 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-11-28 17:48 inode_change_ok Steve French
2005-11-28 17:06 ` inode_change_ok Trond Myklebust
2005-11-28 17:15 ` inode_change_ok Trond Myklebust
[not found] ` <438B4FC6.1080506@austin.rr.com>
[not found] ` <1133201349.27574.56.camel@lade.trondhjem.org>
[not found] ` <438B5F6E.70702@austin.rr.com>
[not found] ` <1133205191.27574.83.camel@lade.trondhjem.org>
2005-11-28 21:05 ` Steve French [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=438B710B.8090509@austin.rr.com \
--to=smfrench@austin.rr.com \
--cc=linux-kernel@vger.kernel.org \
--cc=trond.myklebust@fys.uio.no \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox