Thanks Nathan
In order to apply cleanly the diff between 1.340 and 1.342 is needed...
Rebuilt and tested and this seems to fix the problem.
(Of course it took a few hours to diagnose and fix a dodgy CPU fan that
was SIG11'ing the build! - nothin's ever straightforward)
Is it worth summarising this in an errata at
ftp://oss.sgi.com/projects/xfs/download/Release-1.1/installer/installer/i386/
Cheers
David
Index: xfs_inode.c
===================================================================
RCS file: /cvs/linux-2.4-xfs/linux/fs/xfs/xfs_inode.c,v
retrieving revision 1.340
retrieving revision 1.342
diff -u -5 -r1.340 -r1.342
--- xfs_inode.c 2002/06/18 14:45:50 1.340
+++ xfs_inode.c 2002/06/28 17:44:54 1.342
@@ -3426,22 +3426,28 @@
xfs_iaccess(
xfs_inode_t *ip,
mode_t mode,
cred_t *cr)
{
- int error;
- mode_t orgmode = mode;
+ int error;
+ mode_t orgmode = mode;
+ struct inode *inode = LINVFS_GET_IP(XFS_ITOV(ip));
/*
* Verify that the MAC policy allows the requested access.
*/
if ((error = _MAC_XFS_IACCESS(ip, mode, cr)))
return XFS_ERROR(error);
- if ((mode & IWRITE) && !WRITEALLOWED(XFS_ITOV(ip)))
- return XFS_ERROR(EROFS);
+ if (mode & IWRITE) {
+ umode_t imode = inode->i_mode;
+ if (IS_RDONLY(inode) &&
+ (S_ISREG(imode) || S_ISDIR(imode) || S_ISLNK(imode)))
+ return XFS_ERROR(EROFS);
+ }
+
/*
* If there's an Access Control List it's used instead of
* the mode bits.
*/
if ((error = _ACL_XFS_IACCESS(ip, mode, cr)) != -1)
@@ -3450,12 +3456,23 @@
if (current->fsuid != ip->i_d.di_uid) {
mode >>= 3;
if (!in_group_p((gid_t)ip->i_d.di_gid))
mode >>= 3;
}
- if (((ip->i_d.di_mode & mode) == mode) || capable_cred(cr,
CAP_DAC_OVERRIDE))
+
+ /*
+ * If the DACs are ok we don't need any capability check.
+ */
+ if ((ip->i_d.di_mode & mode) == mode)
return 0;
+ /*
+ * Read/write DACs are always overridable.
+ * Executable DACs are overridable if at least one exec bit is set.
+ */
+ if ((orgmode & (IREAD|IWRITE)) || (inode->i_mode & S_IXUGO))
+ if (capable_cred(cr, CAP_DAC_OVERRIDE))
+ return 0;
if ((orgmode == IREAD) ||
(((ip->i_d.di_mode & IFMT) == IFDIR) &&
(!(orgmode & ~(IWRITE|IEXEC))))) {
if (capable_cred(cr, CAP_DAC_READ_SEARCH))
Nathan Straz wrote:
On Wed, Aug 21, 2002 at 03:42:38PM +0100, David Greaves wrote:
Nathan Straz wrote:
On Wed, Aug 21, 2002 at 02:34:22PM +0100, David Greaves wrote:
When I use /usr/bin/test, well, [ -x filename ] it always returns true.
See: TAKE - fix root access() and non-executables
http://marc.theaimsgroup.com/?l=linux-xfs&m=102528663319323&w=2
I'll see what Eric Sandeen did and see if it applies to the src shipped
with the RH iso so it can be patched.
It's probably easier for me to post the patch than for you to dig
through CVS until you find it, so here it is. Apply it with --posix.
nstraz@maine wa/xfs-2.4.x/linux% p_mod2patch -u 2.4.x-xfs:slinx:122557a
===========================================================================
Index: linux/fs/xfs/xfs_inode.c
===========================================================================
--- /usr/tmp/TmpDir.21937-0/linux/fs/xfs/xfs_inode.c_1.341 2002-08-21
09:47:05.000000000 -0500
+++ /usr/tmp/TmpDir.21937-0/linux/fs/xfs/xfs_inode.c_1.342 2002-08-21
09:47:05.000000000 -0500
[snip]
|