* [PATCH] fs: Delete group check before ACL
@ 2022-11-10 12:37 Wang Boshi
0 siblings, 0 replies; only message in thread
From: Wang Boshi @ 2022-11-10 12:37 UTC (permalink / raw)
To: viro; +Cc: linux-fsdevel, linux-kernel
Skipping full file ACL checks without no Group permissions causes we
can't deny access from specific users or groups which we ban according
ACL_USER, ACL_GROUP and ACL_MASK rules, because they may pass due to
Other permissions.
Example:
date > test_file
setfacl -m u:1000:rwx,g:2000:rwx,u::rwx,g::rwx,o::rwx,m::0 test_file
capsh --groups=1000 --gid=1000 --uid=1000 -- -c "cat test_file"
capsh --groups=2000 --gid=2000 --uid=2000 -- -c "cat test_file"
Signed-off-by: Wang Boshi <wangboshi@huawei.com>
---
fs/namei.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/namei.c b/fs/namei.c
index 578c2110df02..d5772a31b5fc 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -347,7 +347,7 @@ static int acl_permission_check(struct user_namespace *mnt_userns,
}
/* Do we have ACL's? */
- if (IS_POSIXACL(inode) && (mode & S_IRWXG)) {
+ if (IS_POSIXACL(inode)) {
int error = check_acl(mnt_userns, inode, mask);
if (error != -EAGAIN)
return error;
--
2.29.2
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2022-11-10 12:37 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-10 12:37 [PATCH] fs: Delete group check before ACL Wang Boshi
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.