Commit 25aa73df authored by Andrew Morton's avatar Andrew Morton Committed by Linus Torvalds

[PATCH] mqueue permission fix

From: Manfred Spraul <manfred@colorfullife.com>

Any user can delete any entries in a mqueue mounted filesystem.  The attached
patch prevents that.

- remove the writable test from mq_unlink.

- set the sticky bit in the root inode.  This affects both mq_unlink and
  sys_unlink: only the owner (and root) should be allowed to remove queues.
parent 485583e1
...@@ -153,7 +153,7 @@ static int mqueue_fill_super(struct super_block *sb, void *data, int silent) ...@@ -153,7 +153,7 @@ static int mqueue_fill_super(struct super_block *sb, void *data, int silent)
sb->s_magic = MQUEUE_MAGIC; sb->s_magic = MQUEUE_MAGIC;
sb->s_op = &mqueue_super_ops; sb->s_op = &mqueue_super_ops;
inode = mqueue_get_inode(sb, S_IFDIR | S_IRWXUGO); inode = mqueue_get_inode(sb, S_IFDIR | S_ISVTX | S_IRWXUGO);
if (!inode) if (!inode)
return -ENOMEM; return -ENOMEM;
...@@ -685,10 +685,6 @@ asmlinkage long sys_mq_unlink(const char __user *u_name) ...@@ -685,10 +685,6 @@ asmlinkage long sys_mq_unlink(const char __user *u_name)
goto out_err; goto out_err;
} }
if (permission(dentry->d_inode, MAY_WRITE, NULL)) {
err = -EACCES;
goto out_err;
}
inode = dentry->d_inode; inode = dentry->d_inode;
if (inode) if (inode)
atomic_inc(&inode->i_count); atomic_inc(&inode->i_count);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment