From: Steve French <smfrench@gmail.com>
To: Ronnie Sahlberg <lsahlber@redhat.com>
Cc: linux-cifs <linux-cifs@vger.kernel.org>
Subject: Re: [PATCH] cifs: modefromsids must add an ACE for authenticated users
Date: Sun, 13 Feb 2022 18:13:29 -0600 [thread overview]
Message-ID: <CAH2r5mtK6pgX31NN4yA0EbRm5nF+9mfu-1urjsEOU4OZejXjqQ@mail.gmail.com> (raw)
In-Reply-To: <20220213224052.3387192-2-lsahlber@redhat.com>
merged into cifs-2.6.git for-next pending review and more testing
Ronnie,
Maybe we should add a small test for create file with modefromsid,
chmod the file, and then getcifsacl?
On Sun, Feb 13, 2022 at 4:41 PM Ronnie Sahlberg <lsahlber@redhat.com> wrote:
>
> When we create a file with modefromsids we set an ACL that
> has one ACE for the magic modefromsid as well as a second ACE that
> grants full access to all authenticated users.
>
> When later we chante the mode on the file we strip away this, and other,
> ACE for authenticated users in set_chmod_dacl() and then just add back/update
> the modefromsid ACE.
> Thus leaving the file with a single ACE that is for the mode and no ACE
> to grant any user any rights to access the file.
> Fix this by always adding back also the modefromsid ACE so that we do not
> drop the rights to access the file.
>
> Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
> ---
> fs/cifs/cifsacl.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c
> index ee3aab3dd4ac..40cda87ce384 100644
> --- a/fs/cifs/cifsacl.c
> +++ b/fs/cifs/cifsacl.c
> @@ -949,6 +949,9 @@ static void populate_new_aces(char *nacl_base,
> pnntace = (struct cifs_ace *) (nacl_base + nsize);
> nsize += setup_special_mode_ACE(pnntace, nmode);
> num_aces++;
> + pnntace = (struct cifs_ace *) (nacl_base + nsize);
> + nsize += setup_authusers_ACE(pnntace);
> + num_aces++;
> goto set_size;
> }
>
> @@ -1613,7 +1616,7 @@ id_mode_to_cifs_acl(struct inode *inode, const char *path, __u64 *pnmode,
> nsecdesclen = secdesclen;
> if (pnmode && *pnmode != NO_CHANGE_64) { /* chmod */
> if (mode_from_sid)
> - nsecdesclen += sizeof(struct cifs_ace);
> + nsecdesclen += 2 * sizeof(struct cifs_ace);
> else /* cifsacl */
> nsecdesclen += 5 * sizeof(struct cifs_ace);
> } else { /* chown */
> --
> 2.30.2
>
--
Thanks,
Steve
next prev parent reply other threads:[~2022-02-14 0:13 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-13 22:40 Ronnie Sahlberg
2022-02-13 22:40 ` [PATCH] cifs: modefromsids must add an ACE for authenticated users Ronnie Sahlberg
2022-02-13 23:46 ` Steve French
2022-02-14 13:02 ` Shyam Prasad N
2022-02-14 0:13 ` Steve French [this message]
2022-02-14 7:52 ` ronnie sahlberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAH2r5mtK6pgX31NN4yA0EbRm5nF+9mfu-1urjsEOU4OZejXjqQ@mail.gmail.com \
--to=smfrench@gmail.com \
--cc=linux-cifs@vger.kernel.org \
--cc=lsahlber@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.