diff options
| author | Miklos Szeredi <mszeredi@suse.cz> | 2008-07-01 09:01:26 -0400 |
|---|---|---|
| committer | Al Viro <viro@zeniv.linux.org.uk> | 2008-07-26 20:53:25 -0400 |
| commit | 9767d74957450da6365c363d69e3d02d605d7375 (patch) | |
| tree | 913afe491d13b42b0cfcb540569080bba4725dfd | |
| parent | 88b387824fdaecb6ba0f471acf0aadf7d24739fd (diff) | |
[patch 1/4] vfs: utimes: move owner check into inode_change_ok()
Add a new ia_valid flag: ATTR_TIMES_SET, to handle the
UTIMES_OMIT/UTIMES_NOW and UTIMES_NOW/UTIMES_OMIT cases. In these
cases neither ATTR_MTIME_SET nor ATTR_ATIME_SET is in the flags, yet
the POSIX draft specifies that permission checking is performed the
same way as if one or both of the times was explicitly set to a
timestamp.
See the path "vfs: utimensat(): fix error checking for
{UTIME_NOW,UTIME_OMIT} case" by Michael Kerrisk for the patch
introducing this behavior.
This is a cleanup, as well as allowing filesystems (NFS/fuse/...) to
perform their own permission checking instead of the default.
CC: Ulrich Drepper <drepper@redhat.com>
CC: Michael Kerrisk <mtk.manpages@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
| -rw-r--r-- | fs/attr.c | 2 | ||||
| -rw-r--r-- | fs/utimes.c | 17 | ||||
| -rw-r--r-- | include/linux/fs.h | 33 |
3 files changed, 22 insertions, 30 deletions
| @@ -51,7 +51,7 @@ int inode_change_ok(struct inode *inode, struct iattr *attr) | |||
| 51 | } | 51 | } |
| 52 | 52 | ||
| 53 | /* Check for setting the inode time. */ | 53 | /* Check for setting the inode time. */ |
| 54 | if (ia_valid & (ATTR_MTIME_SET | ATTR_ATIME_SET)) { | 54 | if (ia_valid & (ATTR_MTIME_SET | ATTR_ATIME_SET | ATTR_TIMES_SET)) { |
| 55 | if (!is_owner_or_cap(inode)) | 55 | if (!is_owner_or_cap(inode)) |
| 56 | goto error; | 56 | goto error; |
| 57 | } | 57 | } |
diff --git a/fs/utimes.c b/fs/utimes.c index b6b664e7145e..ecf8941ba34a 100644 --- a/fs/utimes.c +++ b/fs/utimes.c | |||
| @@ -101,7 +101,6 @@ long do_utimes(int dfd, char __user *filename, struct timespec *times, int flags | |||
| 101 | times[1].tv_nsec == UTIME_NOW) | 101 | times[1].tv_nsec == UTIME_NOW) |
| 102 | times = NULL; | 102 | times = NULL; |
| 103 | 103 | ||
| 104 | /* In most cases, the checks are done in inode_change_ok() */ | ||
| 105 | newattrs.ia_valid = ATTR_CTIME | ATTR_MTIME | ATTR_ATIME; | 104 | newattrs.ia_valid = ATTR_CTIME | ATTR_MTIME | ATTR_ATIME; |
| 106 | if (times) { | 105 | if (times) { |
| 107 | error = -EPERM; | 106 | error = -EPERM; |
| @@ -123,21 +122,13 @@ long do_utimes(int dfd, char __user *filename, struct timespec *times, int flags | |||
| 123 | newattrs.ia_mtime.tv_nsec = times[1].tv_nsec; | 122 | newattrs.ia_mtime.tv_nsec = times[1].tv_nsec; |
| 124 | newattrs.ia_valid |= ATTR_MTIME_SET; | 123 | newattrs.ia_valid |= ATTR_MTIME_SET; |
| 125 | } | 124 | } |
| 126 | |||
| 127 | /* | 125 | /* |
| 128 | * For the UTIME_OMIT/UTIME_NOW and UTIME_NOW/UTIME_OMIT | 126 | * Tell inode_change_ok(), that this is an explicit time |
| 129 | * cases, we need to make an extra check that is not done by | 127 | * update, even if neither ATTR_ATIME_SET nor ATTR_MTIME_SET |
| 130 | * inode_change_ok(). | 128 | * were used. |
| 131 | */ | 129 | */ |
| 132 | if (((times[0].tv_nsec == UTIME_NOW && | 130 | newattrs.ia_valid |= ATTR_TIMES_SET; |
| 133 | times[1].tv_nsec == UTIME_OMIT) | ||
| 134 | || | ||
| 135 | (times[0].tv_nsec == UTIME_OMIT && | ||
| 136 | times[1].tv_nsec == UTIME_NOW)) | ||
| 137 | && !is_owner_or_cap(inode)) | ||
| 138 | goto mnt_drop_write_and_out; | ||
| 139 | } else { | 131 | } else { |
| 140 | |||
| 141 | /* | 132 | /* |
| 142 | * If times is NULL (or both times are UTIME_NOW), | 133 | * If times is NULL (or both times are UTIME_NOW), |
| 143 | * then we need to check permissions, because | 134 | * then we need to check permissions, because |
diff --git a/include/linux/fs.h b/include/linux/fs.h index d8721e818b45..527b9e482f99 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h | |||
| @@ -320,22 +320,23 @@ typedef void (dio_iodone_t)(struct kiocb *iocb, loff_t offset, | |||
| 320 | * Attribute flags. These should be or-ed together to figure out what | 320 | * Attribute flags. These should be or-ed together to figure out what |
| 321 | * has been changed! | 321 | * has been changed! |
| 322 | */ | 322 | */ |
| 323 | #define ATTR_MODE 1 | 323 | #define ATTR_MODE (1 << 0) |
| 324 | #define ATTR_UID 2 | 324 | #define ATTR_UID (1 << 1) |
| 325 | #define ATTR_GID 4 | 325 | #define ATTR_GID (1 << 2) |
| 326 | #define ATTR_SIZE 8 | 326 | #define ATTR_SIZE (1 << 3) |
| 327 | #define ATTR_ATIME 16 | 327 | #define ATTR_ATIME (1 << 4) |
| 328 | #define ATTR_MTIME 32 | 328 | #define ATTR_MTIME (1 << 5) |
| 329 | #define ATTR_CTIME 64 | 329 | #define ATTR_CTIME (1 << 6) |
| 330 | #define ATTR_ATIME_SET 128 | 330 | #define ATTR_ATIME_SET (1 << 7) |
| 331 | #define ATTR_MTIME_SET 256 | 331 | #define ATTR_MTIME_SET (1 << 8) |
| 332 | #define ATTR_FORCE 512 /* Not a change, but a change it */ | 332 | #define ATTR_FORCE (1 << 9) /* Not a change, but a change it */ |
| 333 | #define ATTR_ATTR_FLAG 1024 | 333 | #define ATTR_ATTR_FLAG (1 << 10) |
| 334 | #define ATTR_KILL_SUID 2048 | 334 | #define ATTR_KILL_SUID (1 << 11) |
| 335 | #define ATTR_KILL_SGID 4096 | 335 | #define ATTR_KILL_SGID (1 << 12) |
| 336 | #define ATTR_FILE 8192 | 336 | #define ATTR_FILE (1 << 13) |
| 337 | #define ATTR_KILL_PRIV 16384 | 337 | #define ATTR_KILL_PRIV (1 << 14) |
| 338 | #define ATTR_OPEN 32768 /* Truncating from open(O_TRUNC) */ | 338 | #define ATTR_OPEN (1 << 15) /* Truncating from open(O_TRUNC) */ |
| 339 | #define ATTR_TIMES_SET (1 << 16) | ||
| 339 | 340 | ||
| 340 | /* | 341 | /* |
| 341 | * This is the Inode Attributes structure, used for notify_change(). It | 342 | * This is the Inode Attributes structure, used for notify_change(). It |