Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp654011pxk; Wed, 16 Sep 2020 13:26:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyikgJytHzIyttKZrVki52eDkZAoYFCZateQYTIXXg5Y3ay2Q/3FnMTojRlPNj80FbzNAd2 X-Received: by 2002:a17:906:7116:: with SMTP id x22mr28185784ejj.426.1600288007450; Wed, 16 Sep 2020 13:26:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600288007; cv=none; d=google.com; s=arc-20160816; b=Njm2rQZMO82udssCp/Qrvh5FmV8ifHhry9vZYXRIpZnPB5B6X5/o/y99Eli3MBzvaT kcaw232cS38gOa9sFhkhKHgrNRGJ0H1kXFc+1sU4GvqnRMZJLAbrgt9jn0uBcjf2+147 /NFSesq08gFeNn8+NI+0nMKsXgGsJC5x+Xou7I8Jn6467b8igCuUEbBWHy9otphcwb6Q 4Y85OOk4mGJEfdF0144QgVInGfaNCgaSx5uKyL/EIIFCSJ/dzH//I+Ofloq+S29T60ax UwntxV4YNFLY3Giu46wUtgyB/dGG2UIHpgcmim13ZFKs8SBzT/e5yeBT4P2p9iy1Ysgu Zung== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=4x0gue3rOXMDxgG0iX2ccecKnNMN5IKR9nRUwF1t1Fg=; b=QelcveQuNqBGOej+GTl3z6Hd63NdUoiQQPhut5hdX41lJgd9bHLbYREGQJG3b5DdSC Q48xHmAXP2lpFYEHS1RBTZcPMvsRxVFk9MauRHWpeme7D8uX4yCQMlT2LKDeipHbxISO BDlIcsF9qM1NmiDw7fJHSjFgiVRoJl/z6axttKQzHm/PmeSisFWxHqTvjUH2WFuBkqWH N8+UMOrKFpehLrbk2DmgTrLVga5R6bYlVv/Wgq5i1iplYrl2bHta6Z+2xLMk7KtxPzqR UJBouZwPuEQyrGXNHHY3SAetPtLKXjZcIKbDoyGCR3F/0hdHlIEV9HDtZyh1k0qvTfB4 aLGw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cz6si13632043edb.142.2020.09.16.13.26.24; Wed, 16 Sep 2020 13:26:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728367AbgIPUWS (ORCPT + 99 others); Wed, 16 Sep 2020 16:22:18 -0400 Received: from brightrain.aerifal.cx ([216.12.86.13]:54226 "EHLO brightrain.aerifal.cx" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727123AbgIPR3H (ORCPT ); Wed, 16 Sep 2020 13:29:07 -0400 Date: Wed, 16 Sep 2020 11:36:19 -0400 From: Rich Felker To: Greg KH Cc: linux-api@vger.kernel.org, Alexander Viro , Christoph Hellwig , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2 1/2] vfs: block chmod of symlinks Message-ID: <20200916153618.GT3265@brightrain.aerifal.cx> References: <20200916002157.GO3265@brightrain.aerifal.cx> <20200916002253.GP3265@brightrain.aerifal.cx> <20200916061815.GB142621@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200916061815.GB142621@kroah.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Sep 16, 2020 at 08:18:15AM +0200, Greg KH wrote: > On Tue, Sep 15, 2020 at 08:22:54PM -0400, Rich Felker wrote: > > It was discovered while implementing userspace emulation of fchmodat > > AT_SYMLINK_NOFOLLOW (using O_PATH and procfs magic symlinks; otherwise > > it's not possible to target symlinks with chmod operations) that some > > filesystems erroneously allow access mode of symlinks to be changed, > > but return failure with EOPNOTSUPP (see glibc issue #14578 and commit > > a492b1e5ef). This inconsistency is non-conforming and wrong, and the > > consensus seems to be that it was unintentional to allow link modes to > > be changed in the first place. > > > > Signed-off-by: Rich Felker > > --- > > fs/open.c | 6 ++++++ > > 1 file changed, 6 insertions(+) > > > > diff --git a/fs/open.c b/fs/open.c > > index 9af548fb841b..cdb7964aaa6e 100644 > > --- a/fs/open.c > > +++ b/fs/open.c > > @@ -570,6 +570,12 @@ int chmod_common(const struct path *path, umode_t mode) > > struct iattr newattrs; > > int error; > > > > + /* Block chmod from getting to fs layer. Ideally the fs would either > > + * allow it or fail with EOPNOTSUPP, but some are buggy and return > > + * an error but change the mode, which is non-conforming and wrong. */ > > + if (S_ISLNK(inode->i_mode)) > > + return -EOPNOTSUPP; > > I still fail to understand why these "buggy" filesystems can not be > fixed. Why are you papering over a filesystem-specific-bug with this Because that's what Christoph wanted, and it seems exposure of the vector for applying chmod to symlinks was unintentional to begin with. I have no preference how this is fixed as long as breakage is not exposed to userspace via the new fchmodat2 syscall (since a broken syscall would be worse than not having it at all). > core kernel change that we will forever have to keep? There's no fundamental reason it would have to be kept forever. The contract remains "either it works and reports success, or it makes no change and reports EOPNOTSUPP". It just can't do both. Rich