From: Nishtha Rai <nishtha3rai@gmail.com>
Date: Thu, 23 Jul 2015 15:20:18 +0000 (+0530)
Subject: MDSAuthCaps: validate create access
X-Git-Tag: v10.0.0~123^2~55
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=4f71b113796b770dc14109551d396a841d94eef9;p=ceph.git

MDSAuthCaps: validate create access

Signed-off-by: Nishtha Rai <nishtha3rai@gmail.com>
---

diff --git a/src/mds/MDSAuthCaps.cc b/src/mds/MDSAuthCaps.cc
index 17682ac80be8..f1f0cbb0217a 100644
--- a/src/mds/MDSAuthCaps.cc
+++ b/src/mds/MDSAuthCaps.cc
@@ -135,13 +135,13 @@ bool MDSCapMatch::match(const std::string &target_path,
  */
 bool MDSAuthCaps::is_capable(const std::string &inode_path,
 			     uid_t inode_uid, gid_t inode_gid, unsigned inode_mode,
-			     uid_t uid, unsigned mask) const
+			     uid_t uid, gid_t gid, unsigned mask) const
 {
   if (cct)
     ldout(cct, 10) << __func__ << " inode(path /" << inode_path
 		 << " owner " << inode_uid << ":" << inode_gid
 		 << " mode 0" << std::oct << inode_mode << std::dec
-		 << ") by uid " << uid << " mask " << mask << " cap: " << *this << dendl;
+		 << ") by uid " << uid << " gid " << gid << " mask " << mask << " cap: " << *this << dendl;
 
   for (std::vector<MDSCapGrant>::const_iterator i = grants.begin();
        i != grants.end();
@@ -149,6 +149,12 @@ bool MDSAuthCaps::is_capable(const std::string &inode_path,
 
     if (i->match.match(inode_path, uid) &&
 	i->spec.allows(mask & (MAY_READ|MAY_EXECUTE), mask & MAY_WRITE)) {
+
+	  if ((mask & MAY_CREATE) &&
+	  (inode_gid != gid)) {
+	    continue;
+	  }
+
       // check unix permissions?
       if (i->match.uid == MDSCapMatch::MDS_AUTH_UID_ANY) {
         return true;
diff --git a/src/mds/MDSAuthCaps.h b/src/mds/MDSAuthCaps.h
index 143444e0c541..291a971ce7db 100644
--- a/src/mds/MDSAuthCaps.h
+++ b/src/mds/MDSAuthCaps.h
@@ -27,6 +27,7 @@ enum {
   MAY_READ = 1,
   MAY_WRITE = 2,
   MAY_EXECUTE = 4,
+  MAY_CREATE = 8
 };
 
 class CephContext;
@@ -108,7 +109,7 @@ public:
   bool allow_all() const;
   bool is_capable(const std::string &inode_path,
 		  uid_t inode_uid, gid_t inode_gid, unsigned inode_mode,
-		  uid_t uid, unsigned mask) const;
+		  uid_t uid, gid_t gid, unsigned mask) const;
 
   friend std::ostream &operator<<(std::ostream &out, const MDSAuthCaps &cap);
 };
diff --git a/src/mds/Server.cc b/src/mds/Server.cc
index 2247795010ee..3ac09731c144 100644
--- a/src/mds/Server.cc
+++ b/src/mds/Server.cc
@@ -2110,6 +2110,7 @@ bool Server::check_access(MDRequestRef& mdr, CInode *in, unsigned mask)
   Session *s = mdr->session;
 
   uid_t uid = mdr->client_request->get_caller_uid();
+  gid_t gid = mdr->client_request->get_caller_gid();
 
   // FIXME: behave with inodes in stray dir
   // FIXME: behave with hard links
@@ -2119,7 +2120,7 @@ bool Server::check_access(MDRequestRef& mdr, CInode *in, unsigned mask)
     path = path.substr(1);    // drop leading /
 
   if (s->auth_caps.is_capable(path, in->inode.uid, in->inode.gid, in->inode.mode,
-			      uid, mask)) {
+			      uid, gid, mask)) {
     return true;
   }
 
@@ -4543,7 +4544,7 @@ void Server::handle_client_mkdir(MDRequestRef& mdr)
     return;
 
   // mkdir check access
-  if (!check_access(mdr, diri, MAY_WRITE))
+  if (!check_access(mdr, diri, (MAY_WRITE | MAY_CREATE)))
     return;
 
   // new inode