lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4A4BA6F8.7090905@redhat.com>
Date:	Wed, 01 Jul 2009 13:12:08 -0500
From:	Eric Sandeen <sandeen@...hat.com>
To:	Amerigo Wang <amwang@...hat.com>
CC:	linux-kernel@...r.kernel.org, akpm@...ux-foundation.org,
	eteo@...hat.com, viro@...iv.linux.org.uk, esandeen@...hat.com
Subject: Re: [Patch] allow file truncations when both suid and write permissions
 set

Amerigo Wang wrote:
> When suid is set and the non-owner user has write permission,
> any writing into this file should be allowed and suid should be
> removed after that.
> 
> However, current kernel only allows writing without truncations,
> when we do truncations on that file, we get EPERM. This is a bug.

Thanks, I'd noticed this once too but never put together a patch... :(

> Steps to reproduce this bug:
> 
> % ls -l rootdir/file1
> -rwsrwsrwx 1 root root 3 Jun 25 15:42 rootdir/file1
> % echo h > rootdir/file1
> zsh: operation not permitted: rootdir/file1
> % ls -l rootdir/file1
> -rwsrwsrwx 1 root root 3 Jun 25 15:42 rootdir/file1
> % echo h >> rootdir/file1
> % ls -l rootdir/file1
> -rwxrwxrwx 1 root root 5 Jun 25 16:34 rootdir/file1
> 
> This patch fixes it.
> 
> (Need to Cc stable?)

probably a good idea.

> Signed-off-by: WANG Cong <amwang@...hat.com>
> Cc: Eric Sandeen <esandeen@...hat.com>
> Cc: Eugene Teo <eteo@...hat.com>
> Cc: Al Viro <viro@...iv.linux.org.uk>
> 
> ---
> diff --git a/fs/open.c b/fs/open.c
> index dd98e80..ebf6d8d 100644
> --- a/fs/open.c
> +++ b/fs/open.c
> @@ -199,7 +199,7 @@ out:
>  int do_truncate(struct dentry *dentry, loff_t length, unsigned int time_attrs,
>  	struct file *filp)
>  {
> -	int err;
> +	int ret;
>  	struct iattr newattrs;
>  
>  	/* Not pretty: "inode->i_size" shouldn't really be signed. But it is. */
> @@ -214,12 +214,15 @@ int do_truncate(struct dentry *dentry, loff_t length, unsigned int time_attrs,
>  	}
>  
>  	/* Remove suid/sgid on truncate too */
> -	newattrs.ia_valid |= should_remove_suid(dentry);
> +	ret = should_remove_suid(dentry);
> +	newattrs.ia_valid |=  ret;
> +	if (ret)
> +		newattrs.ia_valid |= ATTR_FORCE;

So I think the main problem here is simply that we didn't set
ATTR_FORCE, right...

Seems a little odd to |= with ret, -then- check if it's non-0.  Maybe:

 	/* Remove suid/sgid on truncate too */
-	newattrs.ia_valid |= should_remove_suid(dentry);
+	ret = should_remove_suid(dentry);
+	if (ret)
+		newattrs.ia_valid |= (ret | ATTR_FORCE);

?

Otherwise this much looks right to me, though I don't claim to be the
world's foremost expert at this.  :)

Thanks,
-Eric

>  	mutex_lock(&dentry->d_inode->i_mutex);
> -	err = notify_change(dentry, &newattrs);
> +	ret = notify_change(dentry, &newattrs);
>  	mutex_unlock(&dentry->d_inode->i_mutex);
> -	return err;
> +	return ret;
>  }
>  
>  static long do_sys_truncate(const char __user *pathname, loff_t length)

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ