xfs
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

TAKE - acls

from [Timothy Shimmin] [Permanent Link][Original]
To: linux-xfs@xxxxxxxxxxx
Subject: TAKE - acls
From: Timothy Shimmin <tes@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 20 Feb 2001 19:20:22 +1100 (EST)
Sender: owner-linux-xfs@xxxxxxxxxxx 
Change QA test for ACLs (thanks to Marcelo) so
that we use "fork/exec" instead of "system" to test
execute permission validation for a program.

This uncovered a bug in the ACL code which should
be fixed by the change to posix_acl.c.
Basically, we need to sync up the Linux inode's i_mode
bits with the IRIX inode's di_mode bits after we
set the acl.
Otherwise, execute permission won't be granted until
we do an operation which causes the revalidate to occur.

There is some strange code in linux/fs/exec.c:
    int prepare_binprm(struct linux_binprm *bprm)
    {
            int mode;
            struct inode * inode = bprm->file->f_dentry->d_inode;

            mode = inode->i_mode;
            /* Huh? We had already checked for MAY_EXEC, WTF do we check this? 
*/
            if (!(mode & 0111))     /* with at least _one_ execute bit set */
                    return -EACCES;
    ...

which does a 2nd execute permission check.
It is strange because it is called from do_execve() which
previously called open_exec() which calls the
permission() function.
The permission() function can be overridden like we do
for ACLs. However, even if access is granted by the permission
function, if the mode bits don't grant access then you
are stuffed. I would have thought that access should be left
to the permission function.


--Tim


Date:  Tue Feb 20 00:07:09 PST 2001
Workarea:  snort.melbourne.sgi.com:/diskb/build4/tes/slinx-xfs-acl

The following file(s) were checked into:
  bonnie.engr.sgi.com:/isms/slinx/2.4.x-xfs


Modid:  2.4.x-xfs:slinx:87920a
cmd/xfstests/src/runas.c - 1.2
        - Take Marcelo Magallo's diff/suggestion and use fork/exec
          instead of system.

cmd/xfstests/051.out - 1.3
        - Update as no longer uses system but fork/exec.

cmd/xfstests/051 - 1.4
        - tidy up a bit

linux/fs/posix_acl.c - 1.2
        - Need to do a revalidate after we call acl_set so
          that the Linux inode bits are copied over from the xfs inode.
          Specifically we need Linux' i_mode to have XFS' di_mode.
          It becomes important for this to happen as do_execve() which
          calls prepare_binprm() seems to have a crazy test which checks
          the permission bits again - after calling the permission function
          earlier. So we need the mode bits sync'ed with the acl permission
          bits.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • TAKE - acls, Timothy Shimmin <=
Previous by Date:  /dev/mouse /dev/cdrom (was: PCMCIA and devfs), Manfred W. Baumstark
Next by Date:  not xfs related - just hoping someone here has a better understanding, Russel Ingram
Previous by Thread:  Does it work with samba on it as a server?, Alfred Nutile
Next by Thread:  not xfs related - just hoping someone here has a better understanding, Russel Ingram
Indexes:  [Date] [Thread] [Top] [All Lists]