Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp506424pxk; Wed, 16 Sep 2020 09:24:44 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyW+xntprZHz2iBcXa3/8cZYzjKyIBtrh8aCXUss1Fo8ItXs87skQhAgj6XkxjLhM3j1QuM X-Received: by 2002:a05:6402:8d3:: with SMTP id d19mr28421008edz.68.1600273484344; Wed, 16 Sep 2020 09:24:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600273484; cv=none; d=google.com; s=arc-20160816; b=GANeLN5rrBB12mz/SbOGdyjOe6lPnHyuFlGmKS/C5un+58ziQkrlzQ49C3NL+W2ZK+ 2rCzyspvL+jgleto0awuUKkFhETeP8j8gMNb1zhWecewVVTBw/U+yUDjl5jRs4AgzG0a IgohvywY41VeGKUQna+vhJriUzecBAQnZ2186dBoSsNdScYjEW+PpOPlltcGmwj0Cx8u uRD0xfwFfwA4dtuDVzcc4NCUrd4/JIhpauhT21jDC7IulnkfypGl1WiJnK3agE1AB0nY HeY2oWxbrxDCqGe5xRw1qSFekOJtPS19JTNow4VyRd4W6kOo6JQovk3QY7e8oIGDqUw4 Ymqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=Fg7i8JiNItnOdiWNN43185v7hETbHX4CS4IZVhORNXo=; b=eXXUjyJn2kdHeSlHrqpSy0NnOKsb1eDpgu9Oq4mFyo2Bs8euZ1cvpzz9lOLkKZe1HP eLeZTZRtnaWGEUJwp2O80BPXHknjhOUiSINoVx8YYkGTmsmWyRV1OTRTbb4Wwg5OzcMh cohVxFoG/CdAdS1PEiM5xt4fCIPJjOgOVrItRd5+PJUcEjpGGy3QfQ5ZH6Nqhv9ptNAP fGHrEx0cbiqQK/5BuCT2bvuAYxi2XA7s9PJ7FGlNrJiZ0IAHYGxQDvwalVE3KBAtxbq2 lRamnVVNkEtP0OFxmGSbiAicZNn4HIAQCJoFWU88VXrKUwPq2COhxS3rFrT8KYerm8yZ CGjw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id rh24si12244755ejb.283.2020.09.16.09.24.20; Wed, 16 Sep 2020 09:24:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726410AbgIPQPB (ORCPT + 99 others); Wed, 16 Sep 2020 12:15:01 -0400 Received: from brightrain.aerifal.cx ([216.12.86.13]:54178 "EHLO brightrain.aerifal.cx" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726484AbgIPQOc (ORCPT ); Wed, 16 Sep 2020 12:14:32 -0400 Date: Wed, 16 Sep 2020 11:41:22 -0400 From: Rich Felker To: Christoph Hellwig Cc: linux-api@vger.kernel.org, Alexander Viro , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2 1/2] vfs: block chmod of symlinks Message-ID: <20200916154122.GU3265@brightrain.aerifal.cx> References: <20200916002157.GO3265@brightrain.aerifal.cx> <20200916002253.GP3265@brightrain.aerifal.cx> <20200916062553.GB27867@infradead.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200916062553.GB27867@infradead.org> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Sep 16, 2020 at 07:25:53AM +0100, Christoph Hellwig wrote: > On Tue, Sep 15, 2020 at 08:22:54PM -0400, Rich Felker wrote: > > It was discovered while implementing userspace emulation of fchmodat > > AT_SYMLINK_NOFOLLOW (using O_PATH and procfs magic symlinks; otherwise > > it's not possible to target symlinks with chmod operations) that some > > filesystems erroneously allow access mode of symlinks to be changed, > > but return failure with EOPNOTSUPP (see glibc issue #14578 and commit > > a492b1e5ef). This inconsistency is non-conforming and wrong, and the > > consensus seems to be that it was unintentional to allow link modes to > > be changed in the first place. > > > > Signed-off-by: Rich Felker > > --- > > fs/open.c | 6 ++++++ > > 1 file changed, 6 insertions(+) > > > > diff --git a/fs/open.c b/fs/open.c > > index 9af548fb841b..cdb7964aaa6e 100644 > > --- a/fs/open.c > > +++ b/fs/open.c > > @@ -570,6 +570,12 @@ int chmod_common(const struct path *path, umode_t mode) > > struct iattr newattrs; > > int error; > > > > + /* Block chmod from getting to fs layer. Ideally the fs would either > > + * allow it or fail with EOPNOTSUPP, but some are buggy and return > > + * an error but change the mode, which is non-conforming and wrong. */ > > + if (S_ISLNK(inode->i_mode)) > > + return -EOPNOTSUPP; > > Our usualy place for this would be setattr_prepare. Also the comment > style is off, and I don't think we should talk about buggy file systems > here, but a policy to not allow the chmod. I also suspect the right > error value is EINVAL - EOPNOTSUPP isn't really used in normal posix > file system interfaces. EINVAL is non-conforming here. POSIX defines it as unsupported mode or flag. Lack of support for setting an access mode on symlinks is a distinct failure reason, and POSIX does not allow overloading error codes like this. Even if it were permitted, it would be bad to do this because it would make it impossible for the application to tell whether the cause of failure is an invalid mode or that the filesystem/implementation doesn't support modes on symlinks. This matters because one is usually a fatal error and the other is a condition to ignore. Moreover, the affected applications (e.g. coreutils, tar, etc.) already accept EOPNOTSUPP here from libc. Defining a new error would break them unless libc translated whatever the syscall returns to the expected EOPNOTSUPP. Rich