Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp1230756pxk; Thu, 10 Sep 2020 10:07:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy6XXLP8HiYMr29hWMz0nBAzYX3KBI90wWWNkwPWVgggOKlU54BdecHrO0BrkbJuyxhpBaT X-Received: by 2002:a17:906:915:: with SMTP id i21mr9581500ejd.113.1599757647370; Thu, 10 Sep 2020 10:07:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1599757647; cv=none; d=google.com; s=arc-20160816; b=HBQKU9R9899IdpbAdI3rY4AIwopSDWy6XUXEh0DrBgJUGftQceOXk1Z9RXny+AKod9 1/AvxTERDRGizaMZYKf4cIvfXcI1ZGyS/aEUGimcImhfDFGk41ixkcvYuQx3LC3//CrD G9B6cOliV53gaxKG4p2tIQ1iI81OuJuNxEb7hMCZRnZx/TWQ8SuMVe5/Addv96FeAFnW 5pSDWeUpVgit5jwPKnJGFCH3GTUKK1qgXYQ9EvZJd2J9zdhdl/NY1H/AZ9ZDDU9hIY34 3XPpAsfxEUzJtvBwIK/8X8chJ1uK112E69nosR7Y5NhfMogpdnZHv0E5KUl8KfrmhQue hQrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=Htiv1y42ArkBLeU1OV3/JhPg43sNRv6rL5M8Abf7aq4=; b=r8MUYPIb/MYuO5saOteEBlrpGKDPuhLQuH57mwiui5IrXZBhqT9O9ZNrARArakVjma /ofIoiHDTCCi7WxjWIZviG3wzbUyWlOw9Mm8Zi2w9Ezy9E7s+9cetityrmSA4aBKJdnJ lT3cwOOqlWh0qT0SMR6tUvbhWca4JyeZlf9f2vyFf2FVs0j1EoMp+zl2XcfRT7vMAmKv s1i5EfilZx5IyVLw+yezvj3Tc/hNTP5TMkG5zrBCAxI3GI8Wozid0rM4/RgM8R040Sew L25rIOxrOoYtLXkZKDy4SzatpTXeCGSSWHV5jMRLMqxWPlFvI1WIxbq7sfwderU1L/Aw wTIw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j6si3627859ejk.734.2020.09.10.10.07.03; Thu, 10 Sep 2020 10:07:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727066AbgIJRDi (ORCPT + 99 others); Thu, 10 Sep 2020 13:03:38 -0400 Received: from brightrain.aerifal.cx ([216.12.86.13]:52496 "EHLO brightrain.aerifal.cx" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727052AbgIJRC6 (ORCPT ); Thu, 10 Sep 2020 13:02:58 -0400 Date: Thu, 10 Sep 2020 13:02:56 -0400 From: Rich Felker To: Christoph Hellwig Cc: linux-api@vger.kernel.org, Alexander Viro , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] vfs: add fchmodat2 syscall Message-ID: <20200910170256.GK3265@brightrain.aerifal.cx> References: <20200910142335.GG3265@brightrain.aerifal.cx> <20200910162059.GA18228@infradead.org> <20200910163949.GJ3265@brightrain.aerifal.cx> <20200910164234.GA25140@infradead.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200910164234.GA25140@infradead.org> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Sep 10, 2020 at 05:42:34PM +0100, Christoph Hellwig wrote: > On Thu, Sep 10, 2020 at 12:39:50PM -0400, Rich Felker wrote: > > On Thu, Sep 10, 2020 at 05:20:59PM +0100, Christoph Hellwig wrote: > > > On Thu, Sep 10, 2020 at 10:23:37AM -0400, Rich Felker wrote: > > > > userspace emulation done in libc implementations. No change is made to > > > > the underlying chmod_common(), so it's still possible to attempt > > > > changes via procfs, if desired. > > > > > > And that is the goddamn problem. We need to fix that _first_. > > > > Can you clarify exactly what that is? Do you mean fixing the > > underlying fs backends, or just ensuring that the chmod for symlinks > > doesn't reach them by putting the check in chmod_common? I'm ok with > > any of these. > > Either - we need to make sure the user can't change the permission > bits. > > > > After that we can add sugarcoating using new syscalls if needed. > > > > The new syscall is _not_ about this problem. It's about the missing > > flags argument and inability to implement fchmodat() without access to > > procfs. The above problem is just something you encounter and have to > > make a decision about in order to fix the missing flags problem and > > make a working AT_SYMLINK_NOFOLLOW. > > And I'm generally supportive of that. But we need to fix the damn > bug first an then do nice to haves. Would you be happy with a pair of patches where the first blocks chmod of symlinks in chmod_common and the second adds the syscall with flags? I think this is a clearly understandable fix, but it does eliminate the ability to *fix* link access modes that have been set to ridiculous values (note: I don't think it really matters since the modes don't do anything anyway) in the past. That's why I preferred to *start* with the forced-EOPNOTSUPP just in the new interface, so that links won't inadvertently get bogus modes set on them when libc starts using it. As long as some filesystems are representing access modes in links (and returning them via stat), it seems like there should be a way to "fix" any that were set in the past. The patch as I've submitted it now is the least invasive change in this sense; it does not take away any capability that already existed. Rich