| Message ID | 20200724183812.19573-5-vgoyal@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | fuse: Implement FUSE_HANDLE_KILLPRIV_V2 and enable SB_NOSEC | expand |
On Fri, Jul 24, 2020 at 8:38 PM Vivek Goyal <vgoyal@redhat.com> wrote: > > open(O_TRUNC) will not kill suid/sgid on server and fuse_open_in does not > have information if caller has CAP_FSETID or not. > > So force sending setattr() which is called after open(O_TRUNC) so that > server clears setuid/setgid. I don't really like the fact that we lose atomicity if handle_killpriv_v2 is enabled. Let's just add a new flag to open as well. If a filesystem doesn't want to add the complexity of handling that it can still just disable atomic_o_trunc. Thanks, Miklos
On Fri, Aug 21, 2020 at 05:05:16PM +0200, Miklos Szeredi wrote: > On Fri, Jul 24, 2020 at 8:38 PM Vivek Goyal <vgoyal@redhat.com> wrote: > > > > open(O_TRUNC) will not kill suid/sgid on server and fuse_open_in does not > > have information if caller has CAP_FSETID or not. > > > > So force sending setattr() which is called after open(O_TRUNC) so that > > server clears setuid/setgid. > > I don't really like the fact that we lose atomicity if > handle_killpriv_v2 is enabled. > > Let's just add a new flag to open as well. If a filesystem doesn't > want to add the complexity of handling that it can still just disable > atomic_o_trunc. Ok, will look into adding flag to open. Vivek
diff --git a/fs/fuse/dir.c b/fs/fuse/dir.c index 82747ca4c5c8..0572779abbbe 100644 --- a/fs/fuse/dir.c +++ b/fs/fuse/dir.c @@ -1516,7 +1516,7 @@ int fuse_do_setattr(struct dentry *dentry, struct iattr *attr, /* This is coming from open(..., ... | O_TRUNC); */ WARN_ON(!(attr->ia_valid & ATTR_SIZE)); WARN_ON(attr->ia_size != 0); - if (fc->atomic_o_trunc) { + if (fc->atomic_o_trunc && !fc->handle_killpriv_v2) { /* * No need to send request to userspace, since actual * truncation has already been done by OPEN. But still
open(O_TRUNC) will not kill suid/sgid on server and fuse_open_in does not have information if caller has CAP_FSETID or not. So force sending setattr() which is called after open(O_TRUNC) so that server clears setuid/setgid. Signed-off-by: Vivek Goyal <vgoyal@redhat.com> --- fs/fuse/dir.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)