From: Oleg Drokin <green@linuxhacker.ru>
To: "J. Bruce Fields" <bfields@fieldses.org>
Cc: Jeff Layton <jlayton@poochiereds.net>,
linux-nfs@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] nfsd: Make creates return EEXIST correctly instead of EPERM
Date: Fri, 22 Jul 2016 11:13:20 -0400 [thread overview]
Message-ID: <C0BB3C96-A951-45D4-8599-B7FA50F1BA90@linuxhacker.ru> (raw)
In-Reply-To: <20160722105527.GA3512@fieldses.org>
On Jul 22, 2016, at 6:55 AM, J. Bruce Fields wrote:
> On Fri, Jul 22, 2016 at 02:35:26AM -0400, Oleg Drokin wrote:
>>
>> On Jul 21, 2016, at 9:57 PM, J. Bruce Fields wrote:
>>
>>> On Thu, Jul 21, 2016 at 04:37:40PM -0400, Oleg Drokin wrote:
>>>>
>>>> On Jul 21, 2016, at 4:34 PM, J. Bruce Fields wrote:
>>>>
>>>>> On Fri, Jul 08, 2016 at 05:53:19PM -0400, Oleg Drokin wrote:
>>>>>>
>>>>>> On Jul 8, 2016, at 4:54 PM, J. Bruce Fields wrote:
>>>>>>
>>>>>>> On Thu, Jul 07, 2016 at 09:47:46PM -0400, Oleg Drokin wrote:
>>>>>>>> It looks like we are bit overzealous about failing mkdir/create/mknod
>>>>>>>> with permission denied if the parent dir is not writeable.
>>>>>>>> Need to make sure the name does not exist first, because we need to
>>>>>>>> return EEXIST in that case.
>>>>>>>>
>>>>>>>> Signed-off-by: Oleg Drokin <green@linuxhacker.ru>
>>>>>>>> ---
>>>>>>>> A very similar problem exists with symlinks, but the patch is more
>>>>>>>> involved, so assuming this one is ok, I'll send a symlink one separately.
>>>>>>>> fs/nfsd/nfs4proc.c | 6 +++++-
>>>>>>>> fs/nfsd/vfs.c | 11 ++++++++++-
>>>>>>>> 2 files changed, 15 insertions(+), 2 deletions(-)
>>>>>>>>
>>>>>>>> diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
>>>>>>>> index de1ff1d..0067520 100644
>>>>>>>> --- a/fs/nfsd/nfs4proc.c
>>>>>>>> +++ b/fs/nfsd/nfs4proc.c
>>>>>>>> @@ -605,8 +605,12 @@ nfsd4_create(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate,
>>>>>>>>
>>>>>>>> fh_init(&resfh, NFS4_FHSIZE);
>>>>>>>>
>>>>>>>> + /*
>>>>>>>> + * We just check thta parent is accessible here, nfsd_* do their
>>>>>>>> + * own access permission checks
>>>>>>>> + */
>>>>>>>> status = fh_verify(rqstp, &cstate->current_fh, S_IFDIR,
>>>>>>>> - NFSD_MAY_CREATE);
>>>>>>>> + NFSD_MAY_EXEC);
>>>>>>>> if (status)
>>>>>>>> return status;
>>>>>>>>
>>>>>>>> diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
>>>>>>>> index 6fbd81e..6a45ec6 100644
>>>>>>>> --- a/fs/nfsd/vfs.c
>>>>>>>> +++ b/fs/nfsd/vfs.c
>>>>>>>> @@ -1161,7 +1161,11 @@ nfsd_create(struct svc_rqst *rqstp, struct svc_fh *fhp,
>>>>>>>> if (isdotent(fname, flen))
>>>>>>>> goto out;
>>>>>>>>
>>>>>>>> - err = fh_verify(rqstp, fhp, S_IFDIR, NFSD_MAY_CREATE);
>>>>>>>> + /*
>>>>>>>> + * Even though it is a create, first we see if we are even allowed
>>>>>>>> + * to peek inside the parent
>>>>>>>> + */
>>>>>>>> + err = fh_verify(rqstp, fhp, S_IFDIR, NFSD_MAY_EXEC);
>>>>>>>
>>>>>>> Looks like in the v3 case we haven't actually locked the directory yet
>>>>>>> at this point so this check is a little race-prone.
>>>>>>
>>>>>> In reality this check is not really needed, I suspect.
>>>>>> When we call vfs_create/mknod/mkdir later on, it has it's own permission check
>>>>>> anyway so if there was a race and somebody changed dir access in the middle,
>>>>>> there's going to be another check anyway and it would be caught.
>>>>>> Unless there's some weird server-side permission wiggling as well that makes it
>>>>>> ineffective, but I imagine that one cannot really change in a racy way?
>>>>>
>>>>> Yeah, I think I'll just change those NFSD_MAY_EXEC's to NFSD_MAY_NOP's.
>>>>> We still need the fh_verify there since it's also what does the
>>>>> filehandle->dentry translation, but we don't need permission checking
>>>>> here yet.
>>>>
>>>> This will likely need an extra test to ensure that when you
>>>> do mkdir where you do not have exec permissions, you would get EACCES instead
>>>> of EEXIST, otherwise that would be information leakage, no?
>>>> Or do you think the second time we do nfsd_permission, that would be covered?
>>>
>>> No, you're right, for some reason I thought that the check for a
>>> positive inode didn't happen till later. But actually the logic is
>>> basically:
>>>
>>> lock inode
>>> lookup_one_len
>>> return nfserr_exist if looked up dentry is positive.
>>> check for create permission
>>> vfs_create
>>>
>>> So, yes, the initial MAY_EXEC test's needed to prevent that information
>>> leak.
>>>
>>> That said... I wonder why it's done that way? Seems to me we could just
>>> tremove that nfserr_exist check and the vfs would handle it for us....
>>> I'll try that.
>>
>> It won't work because the very first thing vfs_create does is may_create(),
>> and so you get EACCES right there instead of the EEXIST.
>
> static inline int may_create(struct inode *dir, struct dentry *child)
> {
> audit_inode_child(dir, child, AUDIT_TYPE_CHILD_CREATE);
> if (child->d_inode)
> return -EEXIST;
> ...
>
> So it looks OK to me.
Hm, in fact indeed. I was just too worked up about the client side, but on the
server side there was a real lookup already, so it does look workable.
>
> --b.
next prev parent reply other threads:[~2016-07-22 15:13 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-08 1:47 [PATCH] nfsd: Make creates return EEXIST correctly instead of EPERM Oleg Drokin
2016-07-08 11:02 ` Jeff Layton
2016-07-08 15:14 ` Oleg Drokin
2016-07-08 15:53 ` Jeff Layton
2016-07-08 15:59 ` Oleg Drokin
2016-07-08 16:17 ` Jeff Layton
2016-07-08 16:28 ` Oleg Drokin
2016-07-09 2:52 ` Al Viro
2016-07-09 2:58 ` Oleg Drokin
2016-07-09 3:13 ` Al Viro
2016-07-08 16:04 ` J. Bruce Fields
2016-07-08 16:16 ` Oleg Drokin
2016-07-08 20:49 ` J. Bruce Fields
2016-07-08 21:47 ` Oleg Drokin
2016-07-09 3:10 ` Al Viro
2016-07-09 3:41 ` Oleg Drokin
2016-07-13 19:00 ` J. Bruce Fields
2016-07-08 20:54 ` J. Bruce Fields
2016-07-08 21:53 ` Oleg Drokin
2016-07-21 20:34 ` J. Bruce Fields
2016-07-21 20:37 ` Oleg Drokin
2016-07-22 1:57 ` J. Bruce Fields
2016-07-22 6:35 ` Oleg Drokin
2016-07-22 10:55 ` J. Bruce Fields
2016-07-22 15:13 ` Oleg Drokin [this message]
2016-07-22 17:48 ` J. Bruce Fields
2016-07-22 17:48 ` [PATCH 1/7] nfsd: Make creates return EEXIST instead of EACCES J. Bruce Fields
2016-07-22 17:48 ` [PATCH 2/7] nfsd: remove redundant zero-length check from create J. Bruce Fields
2016-07-22 17:48 ` [PATCH 3/7] nfsd: remove redundant i_lookup check J. Bruce Fields
2016-07-24 0:22 ` Al Viro
2016-07-24 12:10 ` J. Bruce Fields
2016-07-24 14:23 ` Al Viro
2016-07-24 20:21 ` J. Bruce Fields
2016-07-22 17:48 ` [PATCH 4/7] nfsd: reorganize nfsd_create J. Bruce Fields
2016-07-22 17:48 ` [PATCH 5/7] nfsd: remove unnecessary positive-dentry check J. Bruce Fields
2016-07-22 17:48 ` [PATCH 6/7] nfsd: clean up bad-type check in nfsd_create_locked J. Bruce Fields
2016-07-22 17:48 ` [PATCH 7/7] nfsd: drop unnecessary MAY_EXEC check from create J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=C0BB3C96-A951-45D4-8599-B7FA50F1BA90@linuxhacker.ru \
--to=green@linuxhacker.ru \
--cc=bfields@fieldses.org \
--cc=jlayton@poochiereds.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).