Re: PATCH: RH7.3 with XFS : /usr/bin/test -x seems broken

[David Greaves <david@xxxxxxxxxxxx>]

Thanks Nathan

In order to apply cleanly  the diff between 1.340 and 1.342 is needed...
Rebuilt and tested and this seems to fix the problem.
(Of course it took a few hours to diagnose and fix a dodgy CPU fan that 
was SIG11'ing the build! - nothin's ever straightforward)

Is it worth summarising this in an errata at
ftp://oss.sgi.com/projects/xfs/download/Release-1.1/installer/installer/i386/

Cheers
David


Index: xfs_inode.c
===================================================================
RCS file: /cvs/linux-2.4-xfs/linux/fs/xfs/xfs_inode.c,v
retrieving revision 1.340
retrieving revision 1.342
diff -u -5 -r1.340 -r1.342
--- xfs_inode.c    2002/06/18 14:45:50    1.340
+++ xfs_inode.c    2002/06/28 17:44:54    1.342
@@ -3426,22 +3426,28 @@
xfs_iaccess(
    xfs_inode_t    *ip,
    mode_t        mode,
    cred_t        *cr)
{
-    int error;
-    mode_t orgmode = mode;
+    int        error;
+    mode_t        orgmode = mode;
+    struct inode    *inode = LINVFS_GET_IP(XFS_ITOV(ip));

    /*
     * Verify that the MAC policy allows the requested access.
     */
    if ((error = _MAC_XFS_IACCESS(ip, mode, cr)))
        return XFS_ERROR(error);
   
-       if ((mode & IWRITE) && !WRITEALLOWED(XFS_ITOV(ip)))
-        return XFS_ERROR(EROFS);
+       if (mode & IWRITE) {
+        umode_t        imode = inode->i_mode;

+        if (IS_RDONLY(inode) &&
+            (S_ISREG(imode) || S_ISDIR(imode) || S_ISLNK(imode)))
+            return XFS_ERROR(EROFS);
+    }
+
    /*
     * If there's an Access Control List it's used instead of
     * the mode bits.
     */
    if ((error = _ACL_XFS_IACCESS(ip, mode, cr)) != -1)
@@ -3450,12 +3456,23 @@
    if (current->fsuid != ip->i_d.di_uid) {
        mode >>= 3;
        if (!in_group_p((gid_t)ip->i_d.di_gid))
            mode >>= 3;
    }
-    if (((ip->i_d.di_mode & mode) == mode) || capable_cred(cr, 
CAP_DAC_OVERRIDE))
+
+    /*
+     * If the DACs are ok we don't need any capability check.
+     */
+    if ((ip->i_d.di_mode & mode) == mode)
        return 0;
+    /*
+     * Read/write DACs are always overridable.
+     * Executable DACs are overridable if at least one exec bit is set.
+     */
+    if ((orgmode & (IREAD|IWRITE)) || (inode->i_mode & S_IXUGO))
+        if (capable_cred(cr, CAP_DAC_OVERRIDE))
+            return 0;

    if ((orgmode == IREAD) ||
        (((ip->i_d.di_mode & IFMT) == IFDIR) &&
         (!(orgmode & ~(IWRITE|IEXEC))))) {
        if (capable_cred(cr, CAP_DAC_READ_SEARCH))


Nathan Straz wrote:

> On Wed, Aug 21, 2002 at 03:42:38PM +0100, David Greaves wrote:
>  
>
> > Nathan Straz wrote:
> >    
> >
> > > On Wed, Aug 21, 2002 at 02:34:22PM +0100, David Greaves wrote:
> > >      
> > >
> > > > When I use /usr/bin/test, well, [ -x filename ] it always returns true.
> > > >        
> > > See: TAKE - fix root access() and non-executables
> > > http://marc.theaimsgroup.com/?l=linux-xfs&m=102528663319323&w=2
> > >      
> > I'll see what Eric Sandeen did and see if it applies to the src shipped 
> > with the RH iso so it can be patched.
> >    
>
> It's probably easier for me to post the patch than for you to dig
> through CVS until you find it, so here it is.  Apply it with --posix.
>
> nstraz@maine wa/xfs-2.4.x/linux% p_mod2patch -u 2.4.x-xfs:slinx:122557a
>
> ===========================================================================
> Index: linux/fs/xfs/xfs_inode.c
> ===========================================================================
>
> --- /usr/tmp/TmpDir.21937-0/linux/fs/xfs/xfs_inode.c_1.341      2002-08-21 09:47:05.000000000 -0500
> +++ /usr/tmp/TmpDir.21937-0/linux/fs/xfs/xfs_inode.c_1.342      2002-08-21 09:47:05.000000000 -0500
>  
[snip]