From: "Darrick J. Wong" <djwong@kernel.org>
To: Christian Brauner <christian.brauner@ubuntu.com>
Cc: Christoph Hellwig <hch@lst.de>, linux-xfs@vger.kernel.org
Subject: Re: [PATCH] xfs: fix up non-directory creation in SGID directories
Date: Thu, 14 Jan 2021 08:06:44 -0800 [thread overview]
Message-ID: <20210114160644.GY1164246@magnolia> (raw)
In-Reply-To: <20210114104511.kekdiqumjvo2lo7v@wittgenstein>
On Thu, Jan 14, 2021 at 11:45:11AM +0100, Christian Brauner wrote:
> On Wed, Jan 13, 2021 at 07:46:30PM +0100, Christoph Hellwig wrote:
> > XFS always inherits the SGID bit if it is set on the parent inode, while
> > the generic inode_init_owner does not do this in a few cases where it can
> > create a possible security problem, see commit 0fa3ecd87848
> > ("Fix up non-directory creation in SGID directories") for details.
> >
> > Switch XFS to use the generic helper for the normal path to fix this,
> > just keeping the simple field inheritance open coded for the case of the
> > non-sgid case with the bsdgrpid mount option.
> >
> > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> > Reported-by: Christian Brauner <christian.brauner@ubuntu.com>
> > Signed-off-by: Christoph Hellwig <hch@lst.de>
> > ---
>
> Reviewed-by: Christian Brauner <christian.brauner@ubuntu.com>
>
> I ran the idmapped mounts xfstests on this patchset. With this patch
> applied I was able to remove the special casing for xfs (apart from the
> irix compatibility check) and got clean test runs:
>
>
> 1. with regular setgid inheritance rules
> root@f2-vm:/xfstests# ./check generic/622
Is this test posted to fstests somewhere?
FWIW the code change looks reasonable to me, but I wanted to see the
functionality exercise test first. :)
--D
> FSTYP -- xfs (non-debug)
> PLATFORM -- Linux/x86_64 f2-vm 5.11.0-rc3-brauner-idmapped-mounts-xfs #311 SMP Thu Jan 14 09:55:14 UTC 2021
> MKFS_OPTIONS -- -f -bsize=4096 /dev/loop7
> MOUNT_OPTIONS -- /dev/loop7 /mnt/scratch
>
> generic/622 1s ... 2s
> Ran: generic/622
> Passed all 1 tests
>
> 2. with irix_sgid_inherit setgid inheritance rules
> root@f2-vm:/xfstests# echo 1 > /proc/sys/fs/xfs/irix_sgid_inherit
> root@f2-vm:/xfstests# ./check generic/622
> FSTYP -- xfs (non-debug)
> PLATFORM -- Linux/x86_64 f2-vm 5.11.0-rc3-brauner-idmapped-mounts-xfs #311 SMP Thu Jan 14 09:55:14 UTC 2021
> MKFS_OPTIONS -- -f -bsize=4096 /dev/loop7
> MOUNT_OPTIONS -- /dev/loop7 /mnt/scratch
>
> generic/622 2s ... 1s
> Ran: generic/622
> Passed all 1 tests
>
> Thanks!
> Christian
next prev parent reply other threads:[~2021-01-14 16:07 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-13 18:46 [PATCH] xfs: fix up non-directory creation in SGID directories Christoph Hellwig
2021-01-14 10:45 ` Christian Brauner
2021-01-14 16:06 ` Darrick J. Wong [this message]
2021-01-14 16:37 ` Christian Brauner
2022-09-06 18:35 Request to cherry-pick 01ea173e103edd5ec41acec65b9261b87e123fc2 to v5.10 Varsha Teratipally
2022-09-06 18:36 ` [PATCH] xfs: fix up non-directory creation in SGID directories Varsha Teratipally
2022-09-07 7:40 ` Amir Goldstein
2022-09-07 7:43 ` Amir Goldstein
2022-09-08 11:48 ` Greg KH
2022-09-08 12:02 ` Amir Goldstein
2022-09-14 16:39 ` Darrick J. Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210114160644.GY1164246@magnolia \
--to=djwong@kernel.org \
--cc=christian.brauner@ubuntu.com \
--cc=hch@lst.de \
--cc=linux-xfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).