DACs are overridable for directories. For files,
Read/write DACs are always overridable but executable
DACs are overridable when there is at least one exec bit
set.
The files and directory DACS overriding were handled the
same way for root which is incorrect. This patch fixes
DACs overriding as described above for the root.
Fixes: https://tracker.ceph.com/issues/55313
Signed-off-by: Kotresh HR <khiremat@redhat.com>
all:
- fs/misc/acl.sh
- fs/misc/chmod.sh
+ - fs/misc/dac_override.sh
--- /dev/null
+#!/bin/sh -x
+
+expect_failure() {
+ if "$@"; then return 1; else return 0; fi
+}
+
+set -e
+
+mkdir -p testdir
+file=test_chmod.$$
+
+echo "foo" > testdir/${file}
+sudo chmod 600 testdir
+
+# only root can read
+expect_failure cat testdir/${file}
+
+# directory read/write DAC override for root should allow read
+sudo cat testdir/${file}
int Client::inode_permission(Inode *in, const UserPerm& perms, unsigned want)
{
if (perms.uid() == 0) {
- // Executable are overridable when there is at least one exec bit set
- if((want & MAY_EXEC) && !(in->mode & S_IXUGO))
+ // For directories, DACs are overridable.
+ // For files, Read/write DACs are always overridable but executable DACs are
+ // overridable when there is at least one exec bit set
+ if(!S_ISDIR(in->mode) && (want & MAY_EXEC) && !(in->mode & S_IXUGO))
return -CEPHFS_EACCES;
return 0;
}
projects / ceph-ci.git / commitdiff