From: Jan Kara <jack@suse.cz>
To: Mike Marshall <hubcap@omnibond.com>
Cc: Jan Kara <jack@suse.cz>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Andreas Gruenbacher <agruenba@redhat.com>,
stable@vger.kernel.org, pvfs2-developers@beowulf-underground.org
Subject: Re: [PATCH 09/11] orangefs: Don't clear SGID when inheriting ACLs
Date: Thu, 20 Jul 2017 18:27:01 +0200 [thread overview]
Message-ID: <20170720162701.GA23700@quack2.suse.cz> (raw)
In-Reply-To: <CAOg9mSSoZzhu7mefWbRR-Y=Ykfu_YxLCHDNKa8SgDO+FA3ceRw@mail.gmail.com>
Hi Mike,
On Thu 20-07-17 12:05:17, Mike Marshall wrote:
> I saw this when you put it out. My review of your patch caused me to
> find something broken in general about how ACLs work in
> Orangefs. I continue to work on that bug, and plan on picking
> up your patch as soon as I fix the other bug... your patch looks
> fine, I could pick it up without being able to test it if my delay is
> holding up something you are doing...
No, it's not holding up anything. It is enough for me to know you have the
patch somewhere queued and I can forget about it ;). Thanks for getting
back to me.
Honza
> On Tue, Jul 18, 2017 at 12:18 PM, Jan Kara <jack@suse.cz> wrote:
> > On Thu 22-06-17 15:31:13, Jan Kara wrote:
> >> When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit
> >> set, DIR1 is expected to have SGID bit set (and owning group equal to
> >> the owning group of 'DIR0'). However when 'DIR0' also has some default
> >> ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on
> >> 'DIR1' to get cleared if user is not member of the owning group.
> >>
> >> Fix the problem by creating __orangefs_set_acl() function that does not
> >> call posix_acl_update_mode() and use it when inheriting ACLs. That
> >> prevents SGID bit clearing and the mode has been properly set by
> >> posix_acl_create() anyway.
> >>
> >> Fixes: 073931017b49d9458aa351605b43a7e34598caef
> >> CC: stable@vger.kernel.org
> >> CC: Mike Marshall <hubcap@omnibond.com>
> >> CC: pvfs2-developers@beowulf-underground.org
> >> Signed-off-by: Jan Kara <jack@suse.cz>
> >
> > Mike, can you please pick up this fix? Thanks!
> >
> > Honza
> >
> >> ---
> >> fs/orangefs/acl.c | 48 ++++++++++++++++++++++++++++--------------------
> >> 1 file changed, 28 insertions(+), 20 deletions(-)
> >>
> >> diff --git a/fs/orangefs/acl.c b/fs/orangefs/acl.c
> >> index 7a3754488312..9409aac232f7 100644
> >> --- a/fs/orangefs/acl.c
> >> +++ b/fs/orangefs/acl.c
> >> @@ -61,9 +61,9 @@ struct posix_acl *orangefs_get_acl(struct inode *inode, int type)
> >> return acl;
> >> }
> >>
> >> -int orangefs_set_acl(struct inode *inode, struct posix_acl *acl, int type)
> >> +static int __orangefs_set_acl(struct inode *inode, struct posix_acl *acl,
> >> + int type)
> >> {
> >> - struct orangefs_inode_s *orangefs_inode = ORANGEFS_I(inode);
> >> int error = 0;
> >> void *value = NULL;
> >> size_t size = 0;
> >> @@ -72,22 +72,6 @@ int orangefs_set_acl(struct inode *inode, struct posix_acl *acl, int type)
> >> switch (type) {
> >> case ACL_TYPE_ACCESS:
> >> name = XATTR_NAME_POSIX_ACL_ACCESS;
> >> - if (acl) {
> >> - umode_t mode;
> >> -
> >> - error = posix_acl_update_mode(inode, &mode, &acl);
> >> - if (error) {
> >> - gossip_err("%s: posix_acl_update_mode err: %d\n",
> >> - __func__,
> >> - error);
> >> - return error;
> >> - }
> >> -
> >> - if (inode->i_mode != mode)
> >> - SetModeFlag(orangefs_inode);
> >> - inode->i_mode = mode;
> >> - mark_inode_dirty_sync(inode);
> >> - }
> >> break;
> >> case ACL_TYPE_DEFAULT:
> >> name = XATTR_NAME_POSIX_ACL_DEFAULT;
> >> @@ -132,6 +116,29 @@ int orangefs_set_acl(struct inode *inode, struct posix_acl *acl, int type)
> >> return error;
> >> }
> >>
> >> +int orangefs_set_acl(struct inode *inode, struct posix_acl *acl, int type)
> >> +{
> >> + int error;
> >> +
> >> + if (type == ACL_TYPE_ACCESS && acl) {
> >> + umode_t mode;
> >> +
> >> + error = posix_acl_update_mode(inode, &mode, &acl);
> >> + if (error) {
> >> + gossip_err("%s: posix_acl_update_mode err: %d\n",
> >> + __func__,
> >> + error);
> >> + return error;
> >> + }
> >> +
> >> + if (inode->i_mode != mode)
> >> + SetModeFlag(ORANGEFS_I(inode));
> >> + inode->i_mode = mode;
> >> + mark_inode_dirty_sync(inode);
> >> + }
> >> + return __orangefs_set_acl(inode, acl, type);
> >> +}
> >> +
> >> int orangefs_init_acl(struct inode *inode, struct inode *dir)
> >> {
> >> struct orangefs_inode_s *orangefs_inode = ORANGEFS_I(inode);
> >> @@ -146,13 +153,14 @@ int orangefs_init_acl(struct inode *inode, struct inode *dir)
> >> return error;
> >>
> >> if (default_acl) {
> >> - error = orangefs_set_acl(inode, default_acl, ACL_TYPE_DEFAULT);
> >> + error = __orangefs_set_acl(inode, default_acl,
> >> + ACL_TYPE_DEFAULT);
> >> posix_acl_release(default_acl);
> >> }
> >>
> >> if (acl) {
> >> if (!error)
> >> - error = orangefs_set_acl(inode, acl, ACL_TYPE_ACCESS);
> >> + error = __orangefs_set_acl(inode, acl, ACL_TYPE_ACCESS);
> >> posix_acl_release(acl);
> >> }
> >>
> >> --
> >> 2.12.3
> >>
> > --
> > Jan Kara <jack@suse.com>
> > SUSE Labs, CR
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
next prev parent reply other threads:[~2017-07-20 16:27 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20170622133115.16968-1-jack@suse.cz>
2017-06-22 13:31 ` [PATCH 01/11] ext4: Don't clear SGID when inheriting ACLs Jan Kara
2017-06-22 15:32 ` Andreas Gruenbacher
2017-06-22 13:31 ` [PATCH 02/11] ext2: " Jan Kara
2017-06-22 13:31 ` [PATCH 03/11] btrfs: " Jan Kara
2017-06-26 16:47 ` David Sterba
2017-06-22 13:31 ` [PATCH 04/11] gfs2: " Jan Kara
2017-07-18 16:18 ` Jan Kara
2017-07-19 16:17 ` Bob Peterson
2017-06-22 13:31 ` [PATCH 05/11] hfsplus: " Jan Kara
2017-06-22 13:31 ` [PATCH 06/11] jfs: " Jan Kara
2017-07-18 16:19 ` Jan Kara
2017-07-18 17:36 ` Dave Kleikamp
2017-06-22 13:31 ` [PATCH 08/11] ocfs2: " Jan Kara
2017-06-22 13:31 ` [PATCH 09/11] orangefs: " Jan Kara
2017-07-18 16:18 ` Jan Kara
2017-07-20 16:05 ` Mike Marshall
2017-07-20 16:27 ` Jan Kara [this message]
2017-06-22 13:31 ` [PATCH 10/11] reiserfs: " Jan Kara
2017-06-22 13:31 ` [PATCH 11/11] xfs: " Jan Kara
2017-06-26 15:52 ` Darrick J. Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170720162701.GA23700@quack2.suse.cz \
--to=jack@suse.cz \
--cc=agruenba@redhat.com \
--cc=hubcap@omnibond.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=pvfs2-developers@beowulf-underground.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).