From: Christian Brauner <brauner@kernel.org>
To: Al Viro <viro@zeniv.linux.org.uk>
Cc: Yang Xu <xuyang2018.jy@fujitsu.com>,
linux-fsdevel@vger.kernel.org, ceph-devel@vger.kernel.org,
david@fromorbit.com, djwong@kernel.org, willy@infradead.org,
jlayton@kernel.org,
Linus Torvalds <torvalds@linux-foundation.org>,
Jann Horn <jannh@google.com>
Subject: Re: [PATCH v8 1/4] fs: add mode_strip_sgid() helper
Date: Thu, 28 Apr 2022 10:25:44 +0200 [thread overview]
Message-ID: <20220428082544.7v5s3dfgtsda6hll@wittgenstein> (raw)
In-Reply-To: <Ymn05eNgOnaYy36R@zeniv-ca.linux.org.uk>
On Thu, Apr 28, 2022 at 01:59:01AM +0000, Al Viro wrote:
> On Tue, Apr 26, 2022 at 07:11:27PM +0800, Yang Xu wrote:
> > Add a dedicated helper to handle the setgid bit when creating a new file
> > in a setgid directory. This is a preparatory patch for moving setgid
> > stripping into the vfs. The patch contains no functional changes.
> >
> > Currently the setgid stripping logic is open-coded directly in
> > inode_init_owner() and the individual filesystems are responsible for
> > handling setgid inheritance. Since this has proven to be brittle as
> > evidenced by old issues we uncovered over the last months (see [1] to
> > [3] below) we will try to move this logic into the vfs.
>
> First of all, inode_init_owner() is (and always had been) an optional helper.
The whole patch series was triggered because ever since I added setgid
inheritance tests (see [1]) as part of the idmapped mounts test suite
into xfstests we found 3 setgid inheritance bugs (The bugs are linked in
the commit messages.).
The bugs showed up whenever a filesystem didn't call inode_init_owner()
or had custom code in place that deviated from expectations.
That's what triggered this whole patch series. Yang took it on and seems
here to see it through.
I should point out that it was rather unclear what expectations are btw
because of the ordering dependency between umask and POSIX ACLs and
setgid stripping. I've describe this at length in the commit message I
gave Yang.
It took a lot of digging and over the course of me reviewing this patch
series more and more corner-cases pop up that we haven't handled.
> Filesystems are *NOT* required to call it, so putting any common functionality
> in there had always been a mistake.
See above. I pointed this out in earlier version.
I very much agree which is why we should move it into the vfs proper if
we can with reasonably minimal regression risk.
[1]: https://git.kernel.org/pub/scm/fs/xfs/xfstests-dev.git/tree/src/idmapped-mounts/idmapped-mounts.c#n7812
next prev parent reply other threads:[~2022-04-28 8:25 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-26 11:11 [PATCH v8 1/4] fs: add mode_strip_sgid() helper Yang Xu
2022-04-26 11:11 ` [PATCH v8 2/4] fs: Add missing umask strip in vfs_tmpfile Yang Xu
2022-04-26 11:11 ` [PATCH v8 3/4] fs: move S_ISGID stripping into the vfs Yang Xu
2022-04-26 10:38 ` Christian Brauner
2022-04-26 11:20 ` Amir Goldstein
2022-04-26 11:52 ` Miklos Szeredi
2022-04-26 14:53 ` Christian Brauner
2022-04-27 9:22 ` Christian Brauner
2022-04-28 4:45 ` Al Viro
2022-04-28 8:07 ` Christian Brauner
2022-04-26 15:52 ` Christian Brauner
2022-04-27 1:21 ` xuyang2018.jy
2022-04-26 11:11 ` [PATCH v8 4/4] ceph: rely on vfs for setgid stripping Yang Xu
2022-04-26 14:52 ` [PATCH v8 1/4] fs: add mode_strip_sgid() helper Jeff Layton
2022-04-27 1:34 ` xuyang2018.jy
2022-04-28 1:59 ` Al Viro
2022-04-28 2:15 ` Al Viro
2022-04-28 2:23 ` xuyang2018.jy
2022-04-28 2:49 ` Al Viro
2022-04-28 3:12 ` Al Viro
2022-04-28 3:46 ` Al Viro
2022-04-28 9:34 ` Christian Brauner
2022-05-19 1:03 ` xuyang2018.jy
2022-05-19 9:14 ` Christian Brauner
2022-04-28 8:06 ` Jann Horn
2022-04-28 8:44 ` Christian Brauner
2022-04-28 11:55 ` Christian Brauner
2022-04-28 8:25 ` Christian Brauner [this message]
2022-04-28 4:40 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220428082544.7v5s3dfgtsda6hll@wittgenstein \
--to=brauner@kernel.org \
--cc=ceph-devel@vger.kernel.org \
--cc=david@fromorbit.com \
--cc=djwong@kernel.org \
--cc=jannh@google.com \
--cc=jlayton@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=willy@infradead.org \
--cc=xuyang2018.jy@fujitsu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.