Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp396452pxv; Wed, 30 Jun 2021 08:03:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyKiHlkI7D/Yyne5F42bOci66/+orz0otBeLXOUbaSKWuJugvUcmCu2ZPNmqYfESkQyJ673 X-Received: by 2002:a5d:6da2:: with SMTP id u2mr40015354wrs.355.1625065411724; Wed, 30 Jun 2021 08:03:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1625065411; cv=none; d=google.com; s=arc-20160816; b=Un2N7BYQVDi5y9GqWXUkKSKPKNMncNbzUl0w4SQDpoQEqBnE3OG5CtsApSjzPqlCW/ ttnfVXKU9tdtXM+JkAlWiEZ+a4iMnNEqYSYRvzKHFnJK5ufEDGd4t5FKSuI3mCxr8qH4 Sj2ses30jTC+MOdoeh/7fAY9JGO4COyE5dqYgJmB8g48ZaaYpDKUbzLKllMYciAN6WW7 y3olSNbWoISt0DDc7otfYE5u9b6zeRSCY1InANCpKIxSPBI1qdp1j+VIJ12y+R0bILlN QGLa00LlSuIWBh4Ms5MendFCkpCb9dmgGIqUbHLkl/XICnNmsTWIajGFS+Dh2RpYTEPP p3kw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=OHjD8pVyx0xZX4QhRB5WBgUBwBi/yaPIVBuvLE0fbPs=; b=fWP/m5H6+qUfaN+pG8D5jNF0Gk31cTDPg2QMQcgORTs1aW3WNjUTYm3ALnTgNF8CrH 18jlnpAR9i4n0TUCA9+3S0Bn8BE5zca4DglSkiBQZyFOodtx0hmymHE5Q3+SozELVUdt sfB8A7Z/6Vfg7kl+OaHGHxIlgV4FQ69wsklOkqySeFghnyRgkpzMotJvNGm7VfjOOqR9 Fl5OF3mmWMjGtYVU5yGLQ1cSzbii6osGWBeCFDbsgxAm3UGBSMTFRUrXK/lqQuEm0H4S eb2xJ0IIBRCkc+WlHqRz5IAg4vqTDC5ugQQxKuTrwrPaX8jfULaxD8nUXU+Ut3gSWoTa BNEw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="BeHTk/0w"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f19si21435424edu.388.2021.06.30.08.03.06; Wed, 30 Jun 2021 08:03:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="BeHTk/0w"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235428AbhF3PET (ORCPT + 99 others); Wed, 30 Jun 2021 11:04:19 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:38273 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235352AbhF3PES (ORCPT ); Wed, 30 Jun 2021 11:04:18 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1625065309; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=OHjD8pVyx0xZX4QhRB5WBgUBwBi/yaPIVBuvLE0fbPs=; b=BeHTk/0wohAJCYGEHJFcKd9CArC3bRLXnh8h6A/8muAaaa+UZbxYIHIM4sVe31KJVao7Ns 99z2PSDzJ/uaKwnu1euXkSPo31ioQBmYdXZqy+CuvjIy4/vFI0SPr67+KbvmMnkDsovT4H /QSiTQy8Pjve6qwxc1+vo402LRf0wAI= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-469-Y4hI6FXfNOWQxOGf41_JQw-1; Wed, 30 Jun 2021 11:01:46 -0400 X-MC-Unique: Y4hI6FXfNOWQxOGf41_JQw-1 Received: by mail-wm1-f69.google.com with SMTP id i7-20020a05600c3547b02901eaa4d778adso614655wmq.7 for ; Wed, 30 Jun 2021 08:01:46 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=OHjD8pVyx0xZX4QhRB5WBgUBwBi/yaPIVBuvLE0fbPs=; b=Qqh68xOiB4p0HiqyPtj3hAhK51+1hhYQ0K0B/5uNxKWGul9pJp0hFxw1AVZtCBfWVd imPRMogJIW2DMbBH1Zoahjs1RkHNFY89o5Nn3NIck/SMLLnEphImnvPpxaD92rtf/6f+ 0o9SupsuokVEhxWVVZIQm1hL/7M4OQhEF3szmxUkA16Nlr2GFQFaPc7Pt8wVCXjuy85P OEWGoIRwShju1fgMw2oEajTupld20Dpbd3R6jL7fGW6jv9e/dBjcbIyOcNC6AHZ+Gjt+ ULA5GWk1Of2tYlM7EGfKivWFT2XpM0O5D7oD4QhzmNl7heG8o4XeDz30OuE+myhpIx0d ek7g== X-Gm-Message-State: AOAM530ErnWenFWIq8pI8HIpjhlZnR7bnWBQZQMRKRnk65//+gorsezt 8GX5aU+/p0tqeaQC3d3YPdeaKoCn292FEUQJU4VSYAPYVRIj9P1cQctDoQ5HgEjqhlq7K8amZPQ 0vBcRzZAPblOcaqTGC2iAbFUJ X-Received: by 2002:a05:6000:1a41:: with SMTP id t1mr39271106wry.175.1625065305723; Wed, 30 Jun 2021 08:01:45 -0700 (PDT) X-Received: by 2002:a05:6000:1a41:: with SMTP id t1mr39271083wry.175.1625065305573; Wed, 30 Jun 2021 08:01:45 -0700 (PDT) Received: from work-vm (cpc109021-salf6-2-0-cust453.10-2.cable.virginm.net. [82.29.237.198]) by smtp.gmail.com with ESMTPSA id d17sm8593511wro.93.2021.06.30.08.01.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 30 Jun 2021 08:01:44 -0700 (PDT) Date: Wed, 30 Jun 2021 16:01:42 +0100 From: "Dr. David Alan Gilbert" To: Theodore Ts'o Cc: Daniel Walsh , Vivek Goyal , Casey Schaufler , "Schaufler, Casey" , "linux-fsdevel@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "viro@zeniv.linux.org.uk" , "virtio-fs@redhat.com" , "berrange@redhat.com" , linux-security-module , "selinux@vger.kernel.org" Subject: Re: [RFC PATCH 0/1] xattr: Allow user.* xattr on symlink/special files if caller has CAP_SYS_RESOURCE Message-ID: References: <20210629152007.GC5231@redhat.com> <78663f5c-d2fd-747a-48e3-0c5fd8b40332@schaufler-ca.com> <20210629173530.GD5231@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/2.0.7 (2021-05-04) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org * Theodore Ts'o (tytso@mit.edu) wrote: > On Wed, Jun 30, 2021 at 09:07:56AM +0100, Dr. David Alan Gilbert wrote: > > * Theodore Ts'o (tytso@mit.edu) wrote: > > > On Tue, Jun 29, 2021 at 04:28:24PM -0400, Daniel Walsh wrote: > > > > All this conversation is great, and I look forward to a better solution, but > > > > if we go back to the patch, it was to fix an issue where the kernel is > > > > requiring CAP_SYS_ADMIN for writing user Xattrs on link files and other > > > > special files. > > > > > > > > The documented reason for this is to prevent the users from using XATTRS to > > > > avoid quota. > > > > > > Huh? Where is it so documented? > > > > man xattr(7): > > The file permission bits of regular files and directories are > > interpreted differently from the file permission bits of special > > files and symbolic links. For regular files and directories the > > file permission bits define access to the file's contents, > > while for device special files they define access to the device > > described by the special file. The file permissions of symbolic > > links are not used in access checks. > > All of this is true... > > > *** These differences would > > allow users to consume filesystem resources in a way not > > controllable by disk quotas for group or world writable special > > files and directories.**** > > Anyone with group write access to a regular file can append to the > file, and the blocks written will be charged the owner of the file. > So it's perfectly "controllable" by the quota system; if you have > group write access to a file, you can charge against the user's quota. > This is Working As Intended. > > And the creation of device special files take the umask into account, > just like regular files, so if you have a umask that allows newly > created files to be group writeable, the same issue would occur for > regular files as device files. Given that most users have a umask of > 0077 or 0022, this is generally Not A Problem. > > I think I see the issue which drove the above text, though, which is > that Linux's syscall(2) is creating symlinks which do not take umask > into account; that is, the permissions are always mode ST_IFLNK|0777. > > Hence, it might be that the right answer is to remove this fairly > arbitrary restriction entirely, and change symlink(2) so that it > creates files which respects the umask. Posix and SUS doesn't specify > what the permissions are that are used, and historically (before the > advent of xattrs) I suspect since it didn't matter, no one cared about > whether or not umask was applied. > > Some people might object to such a change arguing that with > pre-existing file systems where there are symlinks which > world-writeable, this might cause people to be able to charge up to > 32k (or whatever the maximum size of the xattr supported by the file > system) for each symlink. However, (a) very few people actually use > quotas, and this would only be an issue for those users, and (b) the > amount of quota "abuse" that could be carried out this way is small > enough that I'm not sure it matters. Even if you fix symlinks, I don't think it fixes device nodes or anything else where the permissions bitmap isn't purely used as the permissions on the inode. Dave > - Ted > -- Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK