permission() bug?

From: Andreas Gruenbacher
Date: Thu Oct 16 2003 - 10:06:31 EST

Next message: Jeff Garzik: "Re: [RFC] frandom - fast random generator module"
Previous message: Andrew Morton: "Re: 2.6.0-test7-mm1"
Next in thread: Michael Kerrisk: "Re: permission() bug?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

I think there is a bug in fs/namei.c:vfs_permission(). The function
contains:

int vfs_permission(struct inode * inode, int mask)
{
[...]
/*
* Read/write DACs are always overridable.
* Executable DACs are overridable if at least one exec
* bit is set.
*/
if ((mask & (MAY_READ|MAY_WRITE)) || (inode->i_mode & S_IXUGO))
if (capable(CAP_DAC_OVERRIDE))
return 0;
[...]
return -EACCES;
}

The comment makes sense; the code doesn't quite implement what the
comment says. Consider the case of an inode with "--" permissions. We
get the following results:

permission(inode, MAY_READ) = 0
permission(inode, MAY_EXEC) = -EACCESS
permission(inode, MAY_READ|MAY_EXEC = 0

The last result seems wrong; I would expect -EACCESS instead. So IMHO
the code in permission (and in the file system specific copies) should
read:

if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO))
if (capable(CAP_DAC_OVERRIDE))
return 0;

Regards,
--
Andreas Gruenbacher <agruen@xxxxxxx>
SuSE Labs, SuSE Linux AG <http://www.suse.de/>

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jeff Garzik: "Re: [RFC] frandom - fast random generator module"
Previous message: Andrew Morton: "Re: 2.6.0-test7-mm1"
Next in thread: Michael Kerrisk: "Re: permission() bug?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]