On Tue, 07 Aug 2007 08:00:40 +0200
Miklos Szeredi <[email protected]> wrote:
> (cutting out lists from CC)
>
> > > > > Your patch is changing the API in a very unsafe way, since there will
> > > > > be no error or warning on an unconverted fs. And that could lead to
> > > > > security holes.
> > > > >
> > > > > If we would rename the setattr method to setattr_new as well as
> > > > > changing it's behavior, that would be fine. But I guess we do not
> > > > > want to do that.
> > > >
> > > > Which "unconverted fses"? If we're talking out of tree stuff, then too
> > > > bad: it is _their_ responsibility to keep up with kernel changes.
> > >
> > > It is usually a good idea to not change the semantics of an API in a
> > > backward incompatible way without changing the syntax as well.
> >
> > We're taking two setattr flags ATTR_KILL_SGID, and ATTR_KILL_SUID which
> > have existed for several years in the VFS, and making them visible to
> > the filesystems. Out-of-tree filesystems that care can check for them in
> > a completely backward compatible way: you don't even need to add a
> > #define.
>
> Making flags visible is not the problem.
>
> Making another flag invisible (ATTR_MODE) at the same time _is_.
>
> > > This is true regardless of whether we care about out-of-tree code or
> > > not (and we should care to some degree). And especially true if the
> > > change in question is security sensitive.
> >
> > It is not true "regardless": the in-tree code is being converted.
> > Out-of-tree code is the only "problem" here, and their only problem is
> > that they may have to add support for the new flags if they also support
> > suid/sgid mode bits.
>
> Yes. And there would be no problem with that, as long as it would be
> breaking the API in a visible way. It does not do that and that is
> unsafe.
>
> The other thing with this change is, that it's generally a good idea
> to let the VFS do as much as possible, because then filesystem writers
> won't get it wrong.
>
> In this case the suid/sgid check needs to be omitted for _very_ few
> filesystems (NFS and fuse). So it makes sense to leave the check
> outside filesystem code, and move it inside only when necessary.
>
On the other hand, the filesystem writers here are declaring their own
setattr operation. Is it unreasonable for them to take responsibility
for handling this too?
There are other in-tree filesystems that likely need to have this check
omitted (other networked filesystems in particular), but this
patchset tries to make this change transparent for now. Those authors
can go back and fix this up later.
As Trond said, in-tree filesystems will be converted so they won't
be an issue. The only danger is someone who is running unconverted
out-of-tree filesystem code on a kernel with this patch. Is that enough
of an issue to warrant us taking extra steps to deal with it?
Another alternative might be to rename notify_change(). I don't really
like gratuitously breaking the API, though, and that function is
referenced in a lot of documentation. Changing it might be confusing...
--
Jeff Layton <[email protected]>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]