linux-stable.git/fs/ext3/acl.c, branch linux-3.2.y Linux kernel stable tree ext3: preserve i_mode if ext2_set_acl() fails 2017-10-12T14:27:18+00:00 Ben Hutchings ben@decadent.org.uk 2017-10-08T13:48:44+00:00 4a79ebbdd0231a4afcd758314b3852501694e44f Based on Ernesto A. Fernández's fix for ext2 (commit fe26569eb919), from which the following description is taken: > When changing a file's acl mask, ext2_set_acl() will first set the group > bits of i_mode to the value of the mask, and only then set the actual > extended attribute representing the new acl. > > If the second part fails (due to lack of space, for example) and the file > had no acl attribute to begin with, the system will from now on assume > that the mask permission bits are actual group permission bits, potentially > granting access to the wrong users. > > Prevent this by only changing the inode mode after the acl has been set. Cc: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com> Cc: Jan Kara <jack@suse.cz> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
Based on Ernesto A. Fernández's fix for ext2 (commit fe26569eb919), from
which the following description is taken:

> When changing a file's acl mask, ext2_set_acl() will first set the group
> bits of i_mode to the value of the mask, and only then set the actual
> extended attribute representing the new acl.
>
> If the second part fails (due to lack of space, for example) and the file
> had no acl attribute to begin with, the system will from now on assume
> that the mask permission bits are actual group permission bits, potentially
> granting access to the wrong users.
>
> Prevent this by only changing the inode mode after the acl has been set.

Cc: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
Cc: Jan Kara <jack@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
ext3: Don't clear SGID when inheriting ACLs 2017-10-12T14:27:17+00:00 Ben Hutchings ben@decadent.org.uk 2017-10-06T02:18:40+00:00 6b49d3b542cc262009a4d3f878bc003d59b2c304 Based on Jan Kara's fix for ext2 (commit a992f2d38e4c), from which the following description is taken: > When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit > set, DIR1 is expected to have SGID bit set (and owning group equal to > the owning group of 'DIR0'). However when 'DIR0' also has some default > ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on > 'DIR1' to get cleared if user is not member of the owning group. > > Fix the problem by creating __ext2_set_acl() function that does not call > posix_acl_update_mode() and use it when inheriting ACLs. That prevents > SGID bit clearing and the mode has been properly set by > posix_acl_create() anyway. Fixes: 073931017b49 ("posix_acl: Clear SGID bit when setting file permissions") Cc: linux-ext4@vger.kernel.org Cc: Jan Kara <jack@suse.cz> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
Based on Jan Kara's fix for ext2 (commit a992f2d38e4c), from which the
following description is taken:

> When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit
> set, DIR1 is expected to have SGID bit set (and owning group equal to
> the owning group of 'DIR0'). However when 'DIR0' also has some default
> ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on
> 'DIR1' to get cleared if user is not member of the owning group.
>
> Fix the problem by creating __ext2_set_acl() function that does not call
> posix_acl_update_mode() and use it when inheriting ACLs. That prevents
> SGID bit clearing and the mode has been properly set by
> posix_acl_create() anyway.

Fixes: 073931017b49 ("posix_acl: Clear SGID bit when setting file permissions")
Cc: linux-ext4@vger.kernel.org
Cc: Jan Kara <jack@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
posix_acl: Clear SGID bit when setting file permissions 2016-11-20T01:01:44+00:00 Jan Kara jack@suse.cz 2016-09-19T15:39:09+00:00 a06d3be52bce98746341cfb290203603fd028290 commit 073931017b49d9458aa351605b43a7e34598caef upstream. When file permissions are modified via chmod(2) and the user is not in the owning group or capable of CAP_FSETID, the setgid bit is cleared in inode_change_ok(). Setting a POSIX ACL via setxattr(2) sets the file permissions as well as the new ACL, but doesn't clear the setgid bit in a similar way; this allows to bypass the check in chmod(2). Fix that. References: CVE-2016-7097 Reviewed-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> [bwh: Backported to 3.2: - Drop changes to ceph, f2fs, hfsplus, orangefs - Use capable() instead of capable_wrt_inode_uidgid() - Update ext3 and generic_acl.c as well - In gfs2, jfs, and xfs, take care to avoid leaking the allocated ACL if posix_acl_update_mode() determines it's not needed - Adjust context] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit 073931017b49d9458aa351605b43a7e34598caef upstream.

When file permissions are modified via chmod(2) and the user is not in
the owning group or capable of CAP_FSETID, the setgid bit is cleared in
inode_change_ok().  Setting a POSIX ACL via setxattr(2) sets the file
permissions as well as the new ACL, but doesn't clear the setgid bit in
a similar way; this allows to bypass the check in chmod(2).  Fix that.

References: CVE-2016-7097
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
[bwh: Backported to 3.2:
 - Drop changes to ceph, f2fs, hfsplus, orangefs
 - Use capable() instead of capable_wrt_inode_uidgid()
 - Update ext3 and generic_acl.c as well
 - In gfs2, jfs, and xfs, take care to avoid leaking the allocated ACL if
   posix_acl_update_mode() determines it's not needed
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
switch posix_acl_equiv_mode() to umode_t * 2011-08-01T06:10:06+00:00 Al Viro viro@zeniv.linux.org.uk 2011-07-23T22:56:36+00:00 d6952123b53cc8b334df69bba2cd0063b0d88f68 ... so that &inode->i_mode could be passed to it Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
... so that &inode->i_mode could be passed to it

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
switch posix_acl_create() to umode_t * 2011-08-01T06:09:42+00:00 Al Viro viro@zeniv.linux.org.uk 2011-07-23T22:37:50+00:00 d3fb612076eebec6f67257db0c7a9666ac7e5892 so we can pass &inode->i_mode to it Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
so we can pass &inode->i_mode to it

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
fs: take the ACL checks to common code 2011-07-25T18:30:23+00:00 Christoph Hellwig hch@lst.de 2011-07-23T15:37:31+00:00 4e34e719e457f2e031297175410fc0bd4016a085 Replace the ->check_acl method with a ->get_acl method that simply reads an ACL from disk after having a cache miss. This means we can replace the ACL checking boilerplate code with a single implementation in namei.c. Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
Replace the ->check_acl method with a ->get_acl method that simply reads an
ACL from disk after having a cache miss.  This means we can replace the ACL
checking boilerplate code with a single implementation in namei.c.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
kill boilerplates around posix_acl_create_masq() 2011-07-25T18:27:32+00:00 Al Viro viro@zeniv.linux.org.uk 2011-07-23T07:10:32+00:00 826cae2f2b4d726b925f43bc208a571639da4761 new helper: posix_acl_create(&acl, gfp, mode_p). Replaces acl with modified clone, on failure releases acl and replaces with NULL. Returns 0 or -ve on error. All callers of posix_acl_create_masq() switched. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
new helper: posix_acl_create(&acl, gfp, mode_p).  Replaces acl with
modified clone, on failure releases acl and replaces with NULL.
Returns 0 or -ve on error.  All callers of posix_acl_create_masq()
switched.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
kill boilerplate around posix_acl_chmod_masq() 2011-07-25T18:27:30+00:00 Al Viro viro@zeniv.linux.org.uk 2011-07-23T04:18:02+00:00 bc26ab5f65ae41b71df86ea46df3c3833d1d8d83 new helper: posix_acl_chmod(&acl, gfp, mode). Replaces acl with modified clone or with NULL if that has failed; returns 0 or -ve on error. All callers of posix_acl_chmod_masq() switched to that - they'd been doing exactly the same thing. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
new helper: posix_acl_chmod(&acl, gfp, mode).  Replaces acl with modified
clone or with NULL if that has failed; returns 0 or -ve on error.  All
callers of posix_acl_chmod_masq() switched to that - they'd been doing
exactly the same thing.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
vfs: move ACL cache lookup into generic code 2011-07-25T18:23:39+00:00 Linus Torvalds torvalds@linux-foundation.org 2011-07-23T02:30:19+00:00 e77819e57f0817c6dc7cadd061acd70c604cbce2 This moves logic for checking the cached ACL values from low-level filesystems into generic code. The end result is a streamlined ACL check that doesn't need to load the inode->i_op->check_acl pointer at all for the common cached case. The filesystems also don't need to check for a non-blocking RCU walk case in their acl_check() functions, because that is all handled at a VFS layer. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
This moves logic for checking the cached ACL values from low-level
filesystems into generic code.  The end result is a streamlined ACL
check that doesn't need to load the inode->i_op->check_acl pointer at
all for the common cached case.

The filesystems also don't need to check for a non-blocking RCU walk
case in their acl_check() functions, because that is all handled at a
VFS layer.

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
->permission() sanitizing: don't pass flags to ->check_acl() 2011-07-20T05:43:21+00:00 Al Viro viro@zeniv.linux.org.uk 2011-06-20T23:12:17+00:00 7e40145eb111a5192e6d819f764db9d6828d1abb not used in the instances anymore. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
not used in the instances anymore.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>