aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJ. Bruce Fields <bfields@redhat.com>2012-06-06 12:12:57 -0400
committerJ. Bruce Fields <bfields@redhat.com>2012-07-10 16:41:35 -0400
commitd91d0b569044ab366895d587d4811b154dd7d7f5 (patch)
tree3b1877f782ad3aa9345637c454b4b298a14da0f7
parent74dbafaf5d84b5187e50dbe82442ec8df66d55b3 (diff)
nfsd: allow owner_override only for regular files
We normally allow the owner of a file to override permissions checks on IO operations, since: - the client will take responsibility for doing an access check on open; - the permission checks offer no protection against malicious clients--if they can authenticate as the file's owner then they can always just change its permissions; - checking permission on each IO operation breaks the usual posix rule that permission is checked only on open. However, we've never allowed the owner to override permissions on readdir operations, even though the above logic would also apply to directories. I've never heard of this causing a problem, probably because a) simultaneously opening and creating a directory (with restricted mode) isn't possible, and b) opening a directory, then chmod'ing it, is rare. Our disallowal of owner-override on directories appears to be an accident, though--the readdir itself succeeds, and then we fail just because lookup_one_len() calls in our filldir methods fail. I'm not sure what the easiest fix for that would be. For now, just make this behavior obvious by denying the override right at the start. This also fixes some odd v4 behavior: with the rdattr_error attribute requested, it would perform the readdir but return an ACCES error with each entry. Signed-off-by: J. Bruce Fields <bfields@redhat.com>
-rw-r--r--fs/nfsd/vfs.c10
1 files changed, 9 insertions, 1 deletions
diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index c8bd9c3be7f7..3256b5c324bc 100644
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -757,8 +757,16 @@ nfsd_open(struct svc_rqst *rqstp, struct svc_fh *fhp, umode_t type,
757 * If we get here, then the client has already done an "open", 757 * If we get here, then the client has already done an "open",
758 * and (hopefully) checked permission - so allow OWNER_OVERRIDE 758 * and (hopefully) checked permission - so allow OWNER_OVERRIDE
759 * in case a chmod has now revoked permission. 759 * in case a chmod has now revoked permission.
760 *
761 * Arguably we should also allow the owner override for
762 * directories, but we never have and it doesn't seem to have
763 * caused anyone a problem. If we were to change this, note
764 * also that our filldir callbacks would need a variant of
765 * lookup_one_len that doesn't check permissions.
760 */ 766 */
761 err = fh_verify(rqstp, fhp, type, may_flags | NFSD_MAY_OWNER_OVERRIDE); 767 if (type == S_IFREG)
768 may_flags |= NFSD_MAY_OWNER_OVERRIDE;
769 err = fh_verify(rqstp, fhp, type, may_flags);
762 if (err) 770 if (err)
763 goto out; 771 goto out;
764 772