Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp448337pxv; Wed, 30 Jun 2021 09:11:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz6gq8sUra7wtl2IEPN7zSj/prkaz8dHIjz098OZcRGM3Om6w6EoyZ11V4UwDGJMYRIGnql X-Received: by 2002:a05:6402:1014:: with SMTP id c20mr24243227edu.380.1625069482022; Wed, 30 Jun 2021 09:11:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1625069482; cv=none; d=google.com; s=arc-20160816; b=Ijnli46XJT/NAu6iT1UthboiCxPx9iebiTiOc0JuxoxnM9sZcMJmjXmf+YlcqjWFfU WNTJU4uw8+Htg34zlMxnT/t/h47xQfKKsnlbxjo/oSMrH8gBc89dX3iE0r0k9La4bWxn Vlbb73pNSBT5ty3REgAW7ohWOdNY79ukVio8AI554R1SLA1n466bazoouw9S36IFQYCR gtv12/I5HAflAyYA5uadlCEULgP1iiGKrmokKx2Q6jiRAoOyOnHt8tynVMmlqwOZH6oZ 6EKXpbd5FiUNDmvHMyUC75GttXEI/2qn17rxy6D7/qsCKLtByaBbaQstWeSxnpiUY3GI bsAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=52V6002QO3cX0YhTEgm8sdsHZhDo4SqxSLMck++RLBo=; b=CN6yyqj1mVXIQNUtzTeWB0AdK/7y1cuZI2X17fv0FfzqAzhRTLdUJrh4Wj2zsl/Bkn NElSE+PCatOG9OaUtMLkV+5wcb4Iuvg+js9OSLkn3YjmieEaCygwdhMQnAn0I8tBqz4T MMvq9X7dDghWPkBUZ07LB/2EhMZG8GNA1MSOTFv8PFt1hjDzZrvhwe5HMw2W5FVSEeXI Q2hG56a5jkIAOGt3UuH+PNIs3hSOYjziSkXtRnFRKWGxkc4gpn5WlXXFY3KoG1b8O3QE 4Iih2Q64fI/luW1Mznul5DJmxh8krKonn+Dxhd6B89t2mvMA7VWC6J9bEf177YfklvYP avJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=WFjDn4fO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m19si7973376eje.174.2021.06.30.09.10.57; Wed, 30 Jun 2021 09:11:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=WFjDn4fO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231244AbhF3QMK (ORCPT + 99 others); Wed, 30 Jun 2021 12:12:10 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:47469 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230191AbhF3QMJ (ORCPT ); Wed, 30 Jun 2021 12:12:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1625069380; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=52V6002QO3cX0YhTEgm8sdsHZhDo4SqxSLMck++RLBo=; b=WFjDn4fOcEtkuToNJXwysAGS0Fl3c4TOj2z1lbVsPG/XjsOsPbhHPWgu2pDEtNSNAev2cL l7hUWMXv0dZ1XXIEKdyxvG+RYld0SQePpACwgsfxm54zt6V56pDOgwxg6QxZ60Tcpha+jj 7y0eF4BEywE2VGyox6IGpQF/zN4gUTI= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-122-AQW-WcG6PSq609UJqweyuA-1; Wed, 30 Jun 2021 12:09:38 -0400 X-MC-Unique: AQW-WcG6PSq609UJqweyuA-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 542EB18414A2; Wed, 30 Jun 2021 16:09:37 +0000 (UTC) Received: from horse.redhat.com (ovpn-115-222.rdu2.redhat.com [10.10.115.222]) by smtp.corp.redhat.com (Postfix) with ESMTP id A7E2E5C1A3; Wed, 30 Jun 2021 16:09:33 +0000 (UTC) Received: by horse.redhat.com (Postfix, from userid 10451) id 4052122054F; Wed, 30 Jun 2021 12:09:33 -0400 (EDT) Date: Wed, 30 Jun 2021 12:09:33 -0400 From: Vivek Goyal To: Theodore Ts'o Cc: "Dr. David Alan Gilbert" , Daniel Walsh , Casey Schaufler , "Schaufler, Casey" , "linux-fsdevel@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "viro@zeniv.linux.org.uk" , "virtio-fs@redhat.com" , "berrange@redhat.com" , linux-security-module , "selinux@vger.kernel.org" Subject: Re: [RFC PATCH 0/1] xattr: Allow user.* xattr on symlink/special files if caller has CAP_SYS_RESOURCE Message-ID: <20210630160933.GC75386@redhat.com> References: <20210629152007.GC5231@redhat.com> <78663f5c-d2fd-747a-48e3-0c5fd8b40332@schaufler-ca.com> <20210629173530.GD5231@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jun 30, 2021 at 10:47:39AM -0400, Theodore Ts'o wrote: > On Wed, Jun 30, 2021 at 09:07:56AM +0100, Dr. David Alan Gilbert wrote: > > * Theodore Ts'o (tytso@mit.edu) wrote: > > > On Tue, Jun 29, 2021 at 04:28:24PM -0400, Daniel Walsh wrote: > > > > All this conversation is great, and I look forward to a better solution, but > > > > if we go back to the patch, it was to fix an issue where the kernel is > > > > requiring CAP_SYS_ADMIN for writing user Xattrs on link files and other > > > > special files. > > > > > > > > The documented reason for this is to prevent the users from using XATTRS to > > > > avoid quota. > > > > > > Huh? Where is it so documented? > > > > man xattr(7): > > The file permission bits of regular files and directories are > > interpreted differently from the file permission bits of special > > files and symbolic links. For regular files and directories the > > file permission bits define access to the file's contents, > > while for device special files they define access to the device > > described by the special file. The file permissions of symbolic > > links are not used in access checks. > > All of this is true... > > > *** These differences would > > allow users to consume filesystem resources in a way not > > controllable by disk quotas for group or world writable special > > files and directories.**** > > Anyone with group write access to a regular file can append to the > file, and the blocks written will be charged the owner of the file. > So it's perfectly "controllable" by the quota system; if you have > group write access to a file, you can charge against the user's quota. > This is Working As Intended. > > And the creation of device special files take the umask into account, > just like regular files, so if you have a umask that allows newly > created files to be group writeable, the same issue would occur for > regular files as device files. Given that most users have a umask of > 0077 or 0022, this is generally Not A Problem. > > I think I see the issue which drove the above text, though, which is > that Linux's syscall(2) is creating symlinks which do not take umask > into account; that is, the permissions are always mode ST_IFLNK|0777. IIUC, idea is to use permission bits on symlink to decide whether caller can read/write user.* xattrs (like regular file). Hence create symlinks while honoring umask (or default posix acl on dir) and modify relevant code for file creation. Also that possibly will require changing chmod to allow chaging mode on chmod. Vivek > > Hence, it might be that the right answer is to remove this fairly > arbitrary restriction entirely, and change symlink(2) so that it > creates files which respects the umask. Posix and SUS doesn't specify > what the permissions are that are used, and historically (before the > advent of xattrs) I suspect since it didn't matter, no one cared about > whether or not umask was applied. > > Some people might object to such a change arguing that with > pre-existing file systems where there are symlinks which > world-writeable, this might cause people to be able to charge up to > 32k (or whatever the maximum size of the xattr supported by the file > system) for each symlink. However, (a) very few people actually use > quotas, and this would only be an issue for those users, and (b) the > amount of quota "abuse" that could be carried out this way is small > enough that I'm not sure it matters. > > - Ted >