• J. Bruce Fields's avatar
    nfsd: allow owner_override only for regular files · d91d0b56
    J. Bruce Fields authored
    We normally allow the owner of a file to override permissions checks on
    IO operations, since:
    	- the client will take responsibility for doing an access check
    	  on open;
    	- the permission checks offer no protection against malicious
    	  clients--if they can authenticate as the file's owner then
    	  they can always just change its permissions;
    	- checking permission on each IO operation breaks the usual
    	  posix rule that permission is checked only on open.
    
    However, we've never allowed the owner to override permissions on
    readdir operations, even though the above logic would also apply to
    directories.  I've never heard of this causing a problem, probably
    because a) simultaneously opening and creating a directory (with
    restricted mode) isn't possible, and b) opening a directory, then
    chmod'ing it, is rare.
    
    Our disallowal of owner-override on directories appears to be an
    accident, though--the readdir itself succeeds, and then we fail just
    because lookup_one_len() calls in our filldir methods fail.
    
    I'm not sure what the easiest fix for that would be.  For now, just make
    this behavior obvious by denying the override right at the start.
    
    This also fixes some odd v4 behavior: with the rdattr_error attribute
    requested, it would perform the readdir but return an ACCES error with
    each entry.
    Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
    d91d0b56
vfs.c 54.6 KB