Received: by 2002:a17:90a:2044:0:0:0:0 with SMTP id n62csp522381pjc; Mon, 20 May 2019 11:12:13 -0700 (PDT) X-Google-Smtp-Source: APXvYqw7rruSw6DwaJdLek3PnihA41vzhbcR97yDivRr19MfcQG3/Osk0vguLE0n02VgunpRBVF1 X-Received: by 2002:a65:5347:: with SMTP id w7mr20857138pgr.375.1558375933592; Mon, 20 May 2019 11:12:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558375933; cv=none; d=google.com; s=arc-20160816; b=rkVS4t03xGZDrlyiL/Hhm33W0RpEZNu01gFtWGZbZGAFKsdQmeR7h/uhYL+lm9C96C XREglHyKSVu1rett+HMJ9WmAyFthR6V5BjmCSjJt0Wrn3Yj6/boU0+wmaiVif/HSnigr i2L8PPfY7+PZnLWaB6uBjcv1idaH5lIC1drtUDwogvf7CX/gZj1MeF41dLW2cwd00C32 UKc/98L1uI3dE/PizDF1QB7YxQgLO5S/cEiH3+En1anjAAs3r+JwENqVo0jcsZBzKG9f WUwjAwGe3OTCAVippv/DIYKTyaDiblotk13X7DhGFvumR9HyjW8f+B0+1muv0PlglOqo RTmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=wIkoBjfIwezg37K8GyVLa4Ib4GG1DfXOe0xDWRIHC9c=; b=XqVKNmqkXp30e7y9/hjfKbaXrzfuAaXz03+RJUTyfVLV6T7REJ9JN+BoZ+ggYlveV2 2eYiFqsUxhD17Zykw0Sk/Qoj9ffvLdq/awOpNIoj1ne/aHdwbmCIznXjRq21dqQ1wQF0 NnR4py+XsaJD/jPmHO8PcCesQAKwcO96f4Wl0A2ckK4hR0BW3QMuWmfDG98z87z8BZEI G5v6F79sljKPKPHFL7MmQ+9ESYvd/xNZBTG24yhqHME5+z/NyPBC2fT6E70LG9Sc7+M+ D+OnT88w1DroD2L/yriRKZ6lWtFRXgrvo0u0gFuSGOtzlofXgugvCCcbsDnkxdkmG8Di fnQw== ARC-Authentication-Results: i=1; mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=Ou8A0T5a; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n14si7837762plp.422.2019.05.20.11.11.58; Mon, 20 May 2019 11:12:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=Ou8A0T5a; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391870AbfETOlv (ORCPT + 99 others); Mon, 20 May 2019 10:41:51 -0400 Received: from mail-wr1-f67.google.com ([209.85.221.67]:36465 "EHLO mail-wr1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391890AbfETOlq (ORCPT ); Mon, 20 May 2019 10:41:46 -0400 Received: by mail-wr1-f67.google.com with SMTP id s17so14944528wru.3 for ; Mon, 20 May 2019 07:41:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=szeredi.hu; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=wIkoBjfIwezg37K8GyVLa4Ib4GG1DfXOe0xDWRIHC9c=; b=Ou8A0T5aNjnqbPlBgwGcea2Jt9WREkncm2pZ2tzBkRLRUyzdHu/788KR2EoEZb9mkK Uc0cJxu+0ZffxR3RKAwpxWA+Pa4RUhS5MdKIHC+QqTBZftrk7zJrl15NN6dttqr5OpMP 8xroeKkE6/8JUdYcncxaCbltjgHZuJY1yQojg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=wIkoBjfIwezg37K8GyVLa4Ib4GG1DfXOe0xDWRIHC9c=; b=f3ahCJsoIYXTDpceZ7DjHnf1r3ek5aMtCXrGGZz1ahHASMr3vEUTLNo23GTRDU6SCY aczLStldswlTg8tt727yvI9HUeP/c4hPS1VG0arPe2dXrdicqhHi8qy0TWocFNSbuKVb i/7GIb/6sShCKK5pRWWc+5BFMzCc6ebYi040HMugbJ8bHi6N7KI12FuSSRp4Zr8R42yS 9jM/h+8gUgofy5tUWeJ2wREV6t63fbHCN+wTPrNgZIkLA838gCjzVbG0ULNYXKKM053/ YtPulE7x/FFDq1rfDOOWebsFDSbx4GdCWrU6KokkTrV55pErfZYoRP/0bkhJpe9CvP5n 5ZFg== X-Gm-Message-State: APjAAAUerfeTeF/7HNO0VxPwYK6DBbuZQJq6ehyTH8SSrocKfCm0iTkL e2DQq5IdWG4q6pPngj35ItBHoQ== X-Received: by 2002:a5d:53c8:: with SMTP id a8mr10213096wrw.152.1558363305299; Mon, 20 May 2019 07:41:45 -0700 (PDT) Received: from localhost.localdomain (catv-212-96-48-140.catv.broadband.hu. [212.96.48.140]) by smtp.gmail.com with ESMTPSA id n1sm12945556wmc.19.2019.05.20.07.41.43 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 20 May 2019 07:41:44 -0700 (PDT) Date: Mon, 20 May 2019 16:41:37 +0200 From: Miklos Szeredi To: Vivek Goyal Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, linux-nvdimm@lists.01.org, stefanha@redhat.com, dgilbert@redhat.com, swhiteho@redhat.com Subject: Re: [PATCH v2 02/30] fuse: Clear setuid bit even in cache=never path Message-ID: <20190520144137.GA24093@localhost.localdomain> References: <20190515192715.18000-1-vgoyal@redhat.com> <20190515192715.18000-3-vgoyal@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190515192715.18000-3-vgoyal@redhat.com> User-Agent: Mutt/1.11.4 (2019-03-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 15, 2019 at 03:26:47PM -0400, Vivek Goyal wrote: > If fuse daemon is started with cache=never, fuse falls back to direct IO. > In that write path we don't call file_remove_privs() and that means setuid > bit is not cleared if unpriviliged user writes to a file with setuid bit set. > > pjdfstest chmod test 12.t tests this and fails. I think better sulution is to tell the server if the suid bit needs to be removed, so it can do so in a race free way. Here's the kernel patch, and I'll reply with the libfuse patch. --- fs/fuse2/file.c | 2 ++ include/uapi/linux/fuse.h | 3 +++ 2 files changed, 5 insertions(+) --- a/fs/fuse2/file.c +++ b/fs/fuse2/file.c @@ -363,6 +363,8 @@ static ssize_t fuse_send_write(struct fu inarg->flags |= O_DSYNC; if (iocb->ki_flags & IOCB_SYNC) inarg->flags |= O_SYNC; + if (!capable(CAP_FSETID)) + inarg->write_flags |= FUSE_WRITE_KILL_PRIV; req->inh.opcode = FUSE_WRITE; req->inh.nodeid = ff->nodeid; req->inh.len = req->inline_inlen + count; --- a/include/uapi/linux/fuse.h +++ b/include/uapi/linux/fuse.h @@ -125,6 +125,7 @@ * * 7.29 * - add FUSE_NO_OPENDIR_SUPPORT flag + * - add FUSE_WRITE_KILL_PRIV flag */ #ifndef _LINUX_FUSE_H @@ -318,9 +319,11 @@ struct fuse_file_lock { * * FUSE_WRITE_CACHE: delayed write from page cache, file handle is guessed * FUSE_WRITE_LOCKOWNER: lock_owner field is valid + * FUSE_WRITE_KILL_PRIV: kill suid and sgid bits */ #define FUSE_WRITE_CACHE (1 << 0) #define FUSE_WRITE_LOCKOWNER (1 << 1) +#define FUSE_WRITE_KILL_PRIV (1 << 2) /** * Read flags