| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4c5227e8-fdf7-47e1-8d42-4e41cf2512b2@auristor.com>
Date: Thu, 29 May 2025 22:42:34 -0400
From: Jeffrey E Altman <jaltman@...istor.com>
To: David Howells <dhowells@...hat.com>,
Christian Brauner <christian@...uner.io>
Cc: Marc Dionne <marc.dionne@...istor.com>, linux-afs@...ts.infradead.org,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
Etienne Champetier <champetier.etienne@...il.com>,
Chet Ramey <chet.ramey@...e.edu>, Cheyenne Wills <cwills@...enomine.net>,
Alexander Viro <viro@...iv.linux.org.uk>,
Christian Brauner <brauner@...nel.org>, Steve French <sfrench@...ba.org>,
openafs-devel@...nafs.org, linux-cifs@...r.kernel.org
Subject: Re: [PATCH 1/2] afs, bash: Fix open(O_CREAT) on an extant AFS file in
a sticky dir
On 5/29/2025 8:11 PM, Jeffrey E Altman wrote:
>
> On 5/19/2025 12:11 PM, David Howells wrote:
>> +int afs_is_owned_by_me(struct mnt_idmap *idmap, struct inode *inode)
>> +{
>> + struct afs_vnode *vnode = AFS_FS_I(inode);
>> + afs_access_t access;
>> + struct key *key;
>> + int ret;
>> +
>> + key = afs_request_key(vnode->volume->cell);
>> + if (IS_ERR(key))
>> + return PTR_ERR(key);
>> +
>> + /* Get the access rights for the key on this file. */
>> + ret = afs_check_permit(vnode, key, &access);
>> + if (ret < 0)
>> + goto error;
>> +
>> + /* We get the ADMINISTER bit if we own the file. */
>> + ret = (access & AFS_ACE_ADMINISTER) ? 0 : 1;
>
> AFS_ACE_ADMINISTER only means ownership if the inode is a
> non-directory. Should
> we add an explicit check for inode type?
I think the answer is 'yes'. The above check does not work for
directory inodes so
we need another method of answering the question or informing the caller
that the
answer is unknown. In some cases, such as chown() and chgrp() its safe
to say the
caller is the owner and defer the eventual access check to the server
when the inode
is a directory. However, there are other cases such as check_sticky()
where the vfs
cannot defer the decision to the server because there isn't an RPC that
is a one-to-one
match for the decision being made.
In addition to ownership, operations such as chown and chgrp or chmod might
be permitted if the caller is a member of the system:administrators
group. The
server has no method of informing the client that the user is special or
what rights
are granted due to that status.
In the absence of explicit knowledge, the only method by which the
client can
answer the question today would be to issue a PR_WhoAmI RPC to the cell's
Protection Service to obtain the AFS ID of the task's token. The AFS ID
could then
be compared to the struct afs_vnode->status.owner field. However,
clients might
not be permitted to communicate with the Protection Service and PR_WhoAmI is
currently only available from the AuriStorFS Protection Service.
PR_WhoAmI is
standardized for implementation by OpenAFS but at present neither OpenAFS
1.8.x nor 1.9.x include an implementation.
It should be noted that although an AFS ID is provided to the afs client
when an
rxkad token is inserted into the kernel, the provided value cannot be
trusted and
must not be used for this purpose.
>
>> +error:
>> + key_put(key);
>> + return ret;
>> +}
To address the most urgent need which is the may_create_in_sticky()
call, perhaps
introduce a non-directory specific is_file_inode_owned_by_me() as part
of this
change and then address the directory case once we figure out how to
implement
it.
Jeffrey Altman
Download attachment "smime.p7s" of type "application/pkcs7-signature" (4276 bytes)
Powered by blists - more mailing lists