* [PATCH] ceph: force sending open request to MDS for root user
@ 2022-09-01 14:52 xiubli
2022-09-02 1:57 ` Xiubo Li
0 siblings, 1 reply; 2+ messages in thread
From: xiubli @ 2022-09-01 14:52 UTC (permalink / raw)
To: ceph-devel; +Cc: jlayton, idryomov, lhenriques, rraja, mchangir, Xiubo Li
From: Xiubo Li <xiubli@redhat.com>
With the root_squash MDS caps enabled and for a root user it should
fail to write the file. But currently the kclient will just skip
sending a open request and check the cap instead even with the root
user. This will skip checking the MDS caps in MDS server.
URL: https://tracker.ceph.com/issues/56067
URL: https://tracker.ceph.com/issues/57154
Signed-off-by: Xiubo Li <xiubli@redhat.com>
---
fs/ceph/file.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/fs/ceph/file.c b/fs/ceph/file.c
index 86265713a743..642c0facbdcd 100644
--- a/fs/ceph/file.c
+++ b/fs/ceph/file.c
@@ -360,6 +360,7 @@ int ceph_open(struct inode *inode, struct file *file)
struct ceph_mds_client *mdsc = fsc->mdsc;
struct ceph_mds_request *req;
struct ceph_file_info *fi = file->private_data;
+ uid_t uid = from_kuid(&init_user_ns, get_current_cred()->fsuid);
int err;
int flags, fmode, wanted;
@@ -393,13 +394,19 @@ int ceph_open(struct inode *inode, struct file *file)
}
/*
- * No need to block if we have caps on the auth MDS (for
- * write) or any MDS (for read). Update wanted set
- * asynchronously.
+ * If the caller is root user and the Fw caps is required
+ * it will force sending a open request to MDS to let
+ * the MDS do the root_squash MDS caps check.
+ *
+ * Otherwise no need to block if we have caps on the auth
+ * MDS (for write) or any MDS (for read). Update wanted
+ * set asynchronously.
*/
spin_lock(&ci->i_ceph_lock);
- if (__ceph_is_any_real_caps(ci) &&
- (((fmode & CEPH_FILE_MODE_WR) == 0) || ci->i_auth_cap)) {
+ if (((fmode & CEPH_FILE_MODE_WR) && uid != 0) &&
+ (__ceph_is_any_real_caps(ci) &&
+ (((fmode & CEPH_FILE_MODE_WR) == 0) || ci->i_auth_cap))) {
+
int mds_wanted = __ceph_caps_mds_wanted(ci, true);
int issued = __ceph_caps_issued(ci, NULL);
--
2.36.0.rc1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] ceph: force sending open request to MDS for root user
2022-09-01 14:52 [PATCH] ceph: force sending open request to MDS for root user xiubli
@ 2022-09-02 1:57 ` Xiubo Li
0 siblings, 0 replies; 2+ messages in thread
From: Xiubo Li @ 2022-09-02 1:57 UTC (permalink / raw)
To: ceph-devel; +Cc: jlayton, idryomov, lhenriques, rraja, mchangir
On 9/1/22 10:52 PM, xiubli@redhat.com wrote:
> From: Xiubo Li <xiubli@redhat.com>
>
> With the root_squash MDS caps enabled and for a root user it should
> fail to write the file. But currently the kclient will just skip
> sending a open request and check the cap instead even with the root
> user. This will skip checking the MDS caps in MDS server.
>
> URL: https://tracker.ceph.com/issues/56067
> URL: https://tracker.ceph.com/issues/57154
> Signed-off-by: Xiubo Li <xiubli@redhat.com>
> ---
> fs/ceph/file.c | 17 ++++++++++++-----
> 1 file changed, 12 insertions(+), 5 deletions(-)
>
> diff --git a/fs/ceph/file.c b/fs/ceph/file.c
> index 86265713a743..642c0facbdcd 100644
> --- a/fs/ceph/file.c
> +++ b/fs/ceph/file.c
> @@ -360,6 +360,7 @@ int ceph_open(struct inode *inode, struct file *file)
> struct ceph_mds_client *mdsc = fsc->mdsc;
> struct ceph_mds_request *req;
> struct ceph_file_info *fi = file->private_data;
> + uid_t uid = from_kuid(&init_user_ns, get_current_cred()->fsuid);
> int err;
> int flags, fmode, wanted;
>
> @@ -393,13 +394,19 @@ int ceph_open(struct inode *inode, struct file *file)
> }
>
> /*
> - * No need to block if we have caps on the auth MDS (for
> - * write) or any MDS (for read). Update wanted set
> - * asynchronously.
> + * If the caller is root user and the Fw caps is required
> + * it will force sending a open request to MDS to let
> + * the MDS do the root_squash MDS caps check.
> + *
> + * Otherwise no need to block if we have caps on the auth
> + * MDS (for write) or any MDS (for read). Update wanted
> + * set asynchronously.
> */
> spin_lock(&ci->i_ceph_lock);
> - if (__ceph_is_any_real_caps(ci) &&
> - (((fmode & CEPH_FILE_MODE_WR) == 0) || ci->i_auth_cap)) {
> + if (((fmode & CEPH_FILE_MODE_WR) && uid != 0) &&
This should be:
if (!((fmode & CEPH_FILE_MODE_WR) && !uid) &&
Will send the V2 to fix it.
- Xiubo
> + (__ceph_is_any_real_caps(ci) &&
> + (((fmode & CEPH_FILE_MODE_WR) == 0) || ci->i_auth_cap))) {
> +
> int mds_wanted = __ceph_caps_mds_wanted(ci, true);
> int issued = __ceph_caps_issued(ci, NULL);
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-09-02 1:57 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-01 14:52 [PATCH] ceph: force sending open request to MDS for root user xiubli
2022-09-02 1:57 ` Xiubo Li
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.