From patchwork Thu Jul 27 03:10:20 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ernesto_A=2E_Fern=C3=A1ndez?= X-Patchwork-Id: 9866239 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 6155360382 for ; Thu, 27 Jul 2017 03:10:28 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5668E2879E for ; Thu, 27 Jul 2017 03:10:28 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4B36B287A4; Thu, 27 Jul 2017 03:10:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DECB22879E for ; Thu, 27 Jul 2017 03:10:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751591AbdG0DK0 (ORCPT ); Wed, 26 Jul 2017 23:10:26 -0400 Received: from mail-qt0-f193.google.com ([209.85.216.193]:37737 "EHLO mail-qt0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751491AbdG0DK0 (ORCPT ); Wed, 26 Jul 2017 23:10:26 -0400 Received: by mail-qt0-f193.google.com with SMTP id d10so7594785qtb.4 for ; Wed, 26 Jul 2017 20:10:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:mime-version:content-disposition :content-transfer-encoding; bh=jL5978JV8RrLCMoFwfEHuG+PtJBcH7BskrPtvXapE2c=; b=jn597eu1nfSp81rmCilyj9EQteXgUCe+vTKZuRoIohRsJvX6PeHa2LnKvN5HG7vg6I 9zj2NxbBB4VK9SB1UBVCNeNP3y16P7avWmGy3eme4Wnzciwehdao4BlBt6VJSLPlf5Bw h7sgI9olDvjqSUle58pDOMuh/BW1OngLEhEpwWHLUSRaZ+kqioFkjN/S4qJr3MvZ29I7 QlxEUi7zl0ysSd53PVyc66FRL3+9oVDhjIbg6+3RTGREi+1FrVCY/p5hNf08nS+YqSAb nYZfRB3DTsyJiB73kEWcrRQRvcEnZ8B4v/x8+4r2rEbGYngvP3D8q0ZYPoK9b6TZUE/Z /Pwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition:content-transfer-encoding; bh=jL5978JV8RrLCMoFwfEHuG+PtJBcH7BskrPtvXapE2c=; b=S91ycLa7W6HnlrwGt6UVpmEHsImCXZt+PMtMAsybujPMKK1WgHnFIPL+9GyFodpOvh PS3vTiSe8TGtPu9p5xruZ6OiqBjKB+/BvP7De0UcyTuSNObwvi7WEvjXjJyE6q/KwTgO qiN+vjJCcjm60hABicpYMM34tomj+E4sEHhEttixBbWg+easCRBW1FyTKDvcGeqe7lpM o+UlOUIS0UOTiICWTCcew+pnEhVwmsQnvQqKBlNoJUfV/QE8JkGoBMqpIUMTWFe+dA9l PfzGUBUEkHxzTE+d7iWR0div57asQV1FjXc+dIOcFVAr8jBBcQ7w/Xt6fvfQxlt8XTBm 2DgA== X-Gm-Message-State: AIVw112Fs4FnrSxio00KIo7AaLFQvD7MFGsTD519D1wgVTjub1xEpj67 CHv+PAkS++HcGqDK X-Received: by 10.200.34.15 with SMTP id o15mr4053706qto.290.1501125025162; Wed, 26 Jul 2017 20:10:25 -0700 (PDT) Received: from debian.home ([190.19.104.98]) by smtp.gmail.com with ESMTPSA id k50sm13280648qtc.68.2017.07.26.20.10.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 26 Jul 2017 20:10:24 -0700 (PDT) Date: Thu, 27 Jul 2017 00:10:20 -0300 From: Ernesto =?utf-8?Q?A=2E_Fern=C3=A1ndez?= To: linux-fsdevel@vger.kernel.org Cc: Jan Kara , Andreas Gruenbacher , Alexander Viro , Ernesto =?utf-8?Q?A=2E_Fern=C3=A1ndez?= Subject: [PATCH 1/2] hfsplus: preserve i_mode if __hfsplus_set_posix_acl() fails Message-ID: <4d0758dad0ee32bda49113a957a8b5d9ce882e9b.1501124092.git.ernesto.mnd.fernandez@gmail.com> MIME-Version: 1.0 Content-Disposition: inline Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP When changing a file's acl mask, hfsplus_set_posix_acl() will first set the group bits of i_mode to the value of the mask, and only then set the actual extended attribute representing the new acl. If the second part fails (due to lack of space, for example) and the file had no acl attribute to begin with, the system will from now on assume that the mask permission bits are actual group permission bits, potentially granting access to the wrong users. Prevent this by only changing the inode mode after the acl has been set. Signed-off-by: Ernesto A. Fernández Reviewed-by: Jan Kara --- The same issue affects several filesystems; some of them have already applied patches, see for example: fe26569 ext2: preserve i_mode if ext2_set_acl() fails In order to test this I had to add a mount option to enable acls. That patch is sent next. fs/hfsplus/posix_acl.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/fs/hfsplus/posix_acl.c b/fs/hfsplus/posix_acl.c index 6bb5d7c..24a1cdf 100644 --- a/fs/hfsplus/posix_acl.c +++ b/fs/hfsplus/posix_acl.c @@ -102,13 +102,19 @@ static int __hfsplus_set_posix_acl(struct inode *inode, struct posix_acl *acl, int hfsplus_set_posix_acl(struct inode *inode, struct posix_acl *acl, int type) { int err; + int update_mode = 0; + umode_t mode = inode->i_mode; if (type == ACL_TYPE_ACCESS && acl) { - err = posix_acl_update_mode(inode, &inode->i_mode, &acl); + err = posix_acl_update_mode(inode, &mode, &acl); if (err) return err; + update_mode = 1; } - return __hfsplus_set_posix_acl(inode, acl, type); + err = __hfsplus_set_posix_acl(inode, acl, type); + if (!err && update_mode) + inode->i_mode = mode; + return err; } int hfsplus_init_posix_acl(struct inode *inode, struct inode *dir)