lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <cfd18e0f0807010709veab05adg2c6566a79b7baabb@mail.gmail.com>
Date:	Tue, 1 Jul 2008 16:09:40 +0200
From:	"Michael Kerrisk" <mtk.manpages@...glemail.com>
To:	"Miklos Szeredi" <miklos@...redi.hu>
Cc:	viro@...iv.linux.org.uk, linux-kernel@...r.kernel.org,
	linux-fsdevel@...r.kernel.org, hch@...radead.org,
	akpm@...ux-foundation.org, "Ulrich Drepper" <drepper@...hat.com>,
	"Michael Kerrisk" <mtk.manpages@...il.com>
Subject: Re: [patch 1/4] vfs: utimes: move owner check into inode_change_ok()

Hi Miklos,

On Tue, Jul 1, 2008 at 3:01 PM, Miklos Szeredi <miklos@...redi.hu> wrote:
> From: Miklos Szeredi <mszeredi@...e.cz>
>
> Add a new ia_valid flag: ATTR_TIMES_SET, to handle the
> UTIMES_OMIT/UTIMES_NOW and UTIMES_NOW/UTIMES_OMIT cases.  In these
> cases neither ATTR_MTIME_SET nor ATTR_ATIME_SET is in the flags, yet
> the POSIX draft specifies that permission checking is performed the
> same way as if one or both of the times was explicitly set to a
> timestamp.
>
> See the path "vfs: utimensat(): fix error checking for
> {UTIME_NOW,UTIME_OMIT} case" by Michael Kerrisk for the patch
> introducing this behavior.
>
> This is a cleanup, as well as allowing filesystems (NFS/fuse/...) to
> perform their own permission checking instead of the default.

What kernel version/tree is this patch against?

Cheers,

Michael

> CC: Ulrich Drepper <drepper@...hat.com>
> CC: Michael Kerrisk <mtk.manpages@...il.com>
> Signed-off-by: Miklos Szeredi <mszeredi@...e.cz>
> ---
>  fs/attr.c          |    2 +-
>  fs/utimes.c        |   17 ++++-------------
>  include/linux/fs.h |   33 +++++++++++++++++----------------
>  3 files changed, 22 insertions(+), 30 deletions(-)
>
> Index: linux-2.6/fs/attr.c
> ===================================================================
> --- linux-2.6.orig/fs/attr.c    2008-06-27 22:09:08.000000000 +0200
> +++ linux-2.6/fs/attr.c 2008-07-01 13:52:20.000000000 +0200
> @@ -51,7 +51,7 @@ int inode_change_ok(struct inode *inode,
>        }
>
>        /* Check for setting the inode time. */
> -       if (ia_valid & (ATTR_MTIME_SET | ATTR_ATIME_SET)) {
> +       if (ia_valid & (ATTR_MTIME_SET | ATTR_ATIME_SET | ATTR_TIMES_SET)) {
>                if (!is_owner_or_cap(inode))
>                        goto error;
>        }
> Index: linux-2.6/fs/utimes.c
> ===================================================================
> --- linux-2.6.orig/fs/utimes.c  2008-07-01 08:10:12.000000000 +0200
> +++ linux-2.6/fs/utimes.c       2008-07-01 13:52:20.000000000 +0200
> @@ -101,7 +101,6 @@ long do_utimes(int dfd, char __user *fil
>                     times[1].tv_nsec == UTIME_NOW)
>                times = NULL;
>
> -       /* In most cases, the checks are done in inode_change_ok() */
>        newattrs.ia_valid = ATTR_CTIME | ATTR_MTIME | ATTR_ATIME;
>        if (times) {
>                error = -EPERM;
> @@ -123,21 +122,13 @@ long do_utimes(int dfd, char __user *fil
>                        newattrs.ia_mtime.tv_nsec = times[1].tv_nsec;
>                        newattrs.ia_valid |= ATTR_MTIME_SET;
>                }
> -
>                /*
> -                * For the UTIME_OMIT/UTIME_NOW and UTIME_NOW/UTIME_OMIT
> -                * cases, we need to make an extra check that is not done by
> -                * inode_change_ok().
> +                * Tell inode_change_ok(), that this is an explicit time
> +                * update, even if neither ATTR_ATIME_SET nor ATTR_MTIME_SET
> +                * were used.
>                 */
> -               if (((times[0].tv_nsec == UTIME_NOW &&
> -                           times[1].tv_nsec == UTIME_OMIT)
> -                    ||
> -                    (times[0].tv_nsec == UTIME_OMIT &&
> -                           times[1].tv_nsec == UTIME_NOW))
> -                   && !is_owner_or_cap(inode))
> -                       goto mnt_drop_write_and_out;
> +               newattrs.ia_valid |= ATTR_TIMES_SET;
>        } else {
> -
>                /*
>                 * If times is NULL (or both times are UTIME_NOW),
>                 * then we need to check permissions, because
> Index: linux-2.6/include/linux/fs.h
> ===================================================================
> --- linux-2.6.orig/include/linux/fs.h   2008-07-01 13:52:19.000000000 +0200
> +++ linux-2.6/include/linux/fs.h        2008-07-01 13:52:20.000000000 +0200
> @@ -317,22 +317,23 @@ typedef void (dio_iodone_t)(struct kiocb
>  * Attribute flags.  These should be or-ed together to figure out what
>  * has been changed!
>  */
> -#define ATTR_MODE      1
> -#define ATTR_UID       2
> -#define ATTR_GID       4
> -#define ATTR_SIZE      8
> -#define ATTR_ATIME     16
> -#define ATTR_MTIME     32
> -#define ATTR_CTIME     64
> -#define ATTR_ATIME_SET 128
> -#define ATTR_MTIME_SET 256
> -#define ATTR_FORCE     512     /* Not a change, but a change it */
> -#define ATTR_ATTR_FLAG 1024
> -#define ATTR_KILL_SUID 2048
> -#define ATTR_KILL_SGID 4096
> -#define ATTR_FILE      8192
> -#define ATTR_KILL_PRIV 16384
> -#define ATTR_OPEN      32768   /* Truncating from open(O_TRUNC) */
> +#define ATTR_MODE      (1 << 0)
> +#define ATTR_UID       (1 << 1)
> +#define ATTR_GID       (1 << 2)
> +#define ATTR_SIZE      (1 << 3)
> +#define ATTR_ATIME     (1 << 4)
> +#define ATTR_MTIME     (1 << 5)
> +#define ATTR_CTIME     (1 << 6)
> +#define ATTR_ATIME_SET (1 << 7)
> +#define ATTR_MTIME_SET (1 << 8)
> +#define ATTR_FORCE     (1 << 9) /* Not a change, but a change it */
> +#define ATTR_ATTR_FLAG (1 << 10)
> +#define ATTR_KILL_SUID (1 << 11)
> +#define ATTR_KILL_SGID (1 << 12)
> +#define ATTR_FILE      (1 << 13)
> +#define ATTR_KILL_PRIV (1 << 14)
> +#define ATTR_OPEN      (1 << 15) /* Truncating from open(O_TRUNC) */
> +#define ATTR_TIMES_SET (1 << 16)
>
>  /*
>  * This is the Inode Attributes structure, used for notify_change().  It
>
> --
>



-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
man-pages online: http://www.kernel.org/doc/man-pages/online_pages.html
Found a bug? http://www.kernel.org/doc/man-pages/reporting_bugs.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ