| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 11 Sep 2012 17:44:50 -0400 From: "J. Bruce Fields" <bfields@...ldses.org> To: Miklos Szeredi <miklos@...redi.hu> Cc: Andy Whitcroft <apw@...onical.com>, linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [RFC PATCH 0/2] issues with NFS filesystems as lower layer On Tue, Sep 11, 2012 at 10:56:52PM +0200, Miklos Szeredi wrote: > "J. Bruce Fields" <bfields@...ldses.org> writes: > > >> > Secondly when using an NFSv3 R/O lower layer the filesystem permissions > >> > check refuses permission to write to the inode which prevents us from > >> > copying it up even though we have a writable upper layer. (With an ext4 > >> > lower layer the inode check will succeed if the inode is writable even > >> > if the filesystem is not.) It is not clear what the right solution is > >> > here. One approach is to check the inode permissions only (avoiding the > >> > filesystem specific permissions op), but it is not clear we can rely on > >> > these for all underlying filesystems. Perhaps this check should only be > >> > used for NFS. > > > > Then couldn't you for example end up circumventing ACLs on the > > underlying file to access data cached by reads from another user on the > > same system? > > Ignoring ACL's should always give less access, isn't that right? Not necessarily. (It's up to the server--and if anything servers probably want to err on the side of returning mode bits that are an upper, not a lower, bound on the permissions.) > > Is it possible to arrange that the check for a readonly filesystem be > > done only by the vfs and not also by ->permission? > > You'd need to modify NFS servers for that to work, no? It's possible > but not practical. Oh, OK, I guess I assumed you were dealing with an NFS filesystem that had been mounted readonly on the NFS client. If it's a read-write mount of a filesystem that's read-only on the server side: well, there is at least an error for that case: the server should return NFSERR_ROFS, and you should see EROFS--could you do the copy-up only in the case you get that error? --b. > > Thanks, > Miklos > > > > > > > --b. > > > >> > Perhaps it needs to be a mount option. The second patch > >> > (for discussion) following this email implements this, using the inode > >> > permissions when the lowerlayer is read-only. This seems to work as > >> > expected in my limited testing. > >> > >> I fear that will create an inconsistency between the read-only and the > >> non-read-only case, even though both should behave the same. > >> > >> I think the cleanest would be to create a mount option to always use > >> generic_permission (on both the lower and the upper fs). That would > >> give us two, slightly different, operating modes but each would be > >> self consistent. > >> > >> Thanks, > >> Miklos > >> -- > >> To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in > >> the body of a message to majordomo@...r.kernel.org > >> More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists