lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20071130220127.GJ24887@fieldses.org>
Date:	Fri, 30 Nov 2007 17:01:27 -0500
From:	"J. Bruce Fields" <bfields@...ldses.org>
To:	Roger Willcocks <roger@...mlight.ltd.uk>
Cc:	linux-kernel@...r.kernel.org, nfs@...ts.sourceforge.net,
	Neil Brown <neilb@...e.de>
Subject: Re: nfsd bug: create file with specific uid/gid

On Fri, Nov 30, 2007 at 05:06:03PM +0000, Roger Willcocks wrote:
> nfsd/vfs.c:nfsd_create (the v2 version of create) says:
>
> "Set file attributes. Mode has already been set and
> setting uid/gid works only for root"
>
> but it doesn't actually test for root-ness (which could happen if the 
> access is no-root-squash). There's similar code without the comment in 
> nfsd_create_v3. In both cases the test:
>
>    if ((iap->ia_valid &= ~(ATTR_UID|ATTR_GID|ATTR_MODE)) != 0)
>
> should read:
>
>    if (current->fsuid != 0)
>        iap->ia_valid &= ~(ATTR_UID|ATTR_GID);
>    if ((iap->ia_valid &= ~ATTR_MODE) != 0)
>
> although arguably they should return an EPERM error if the uid/gid bits are 
> set, instead of silently ignoring them.

Assignments (especially with things like &=) inside of conditionals
always make my head hurt for some reason.  So maybe something like the
below?

Although I'd be happier if we could get a comment from someone with a
better understanding of why this hack was added in the first place.

Thanks for the bug report!  (And, by the way, how did you run across
this?)

--b.


commit 38574420b8992d69f469ca86041f75b6e2283174
Author: J. Bruce Fields <bfields@...i.umich.edu>
Date:   Fri Nov 30 16:55:23 2007 -0500

    nfsd: allow root to set uid and gid on create
    
    The server silently ignores attempts to set the uid and gid on create.
    Based on the comment, this appears to have been done to prevent some
    overly-clever IRIX client from causing itself problems.
    
    Perhaps we should remove that hack completely.  For now, at least, it
    makes sense to allow root (when no_root_squash is set) to set uid and
    gid.
    
    Thanks to Roger Willcocks <roger@...mlight.ltd.uk> for the bug report
    and original patch on which this is based.
    
    Signed-off-by: J. Bruce Fields <bfields@...i.umich.edu>

diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index 755ba43..8a8bf06 100644
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -1257,12 +1257,16 @@ nfsd_create(struct svc_rqst *rqstp, struct svc_fh *fhp,
 	}
 
 
-	/* Set file attributes. Mode has already been set and
-	 * setting uid/gid works only for root. Irix appears to
+	/* Mode has already been set: */
+	iap->ia_valid &= ~ATTR_MODE;
+	/*
+	 * Setting uid/gid works only for root.  Irix appears to
 	 * send along the gid when it tries to implement setgid
-	 * directories via NFS.
+	 * directories via NFS:
 	 */
-	if ((iap->ia_valid &= ~(ATTR_UID|ATTR_GID|ATTR_MODE)) != 0) {
+	if (current->fsuid != 0)
+		iap->ia_valid &= ~(ATTR_UID|ATTR_GID);
+	if (iap->ia_valid) {
 		__be32 err2 = nfsd_setattr(rqstp, resfhp, iap, 0, (time_t)0);
 		if (err2)
 			err = err2;
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ