From 5723a848088292777f4f36d79832dff7889acc03 Mon Sep 17 00:00:00 2001
From: Kotresh HR <khiremat@redhat.com>
Date: Thu, 28 Apr 2022 16:01:48 +0530
Subject: [PATCH] client/fuse: Fix directory DACs overriding for root

DACs are overridable for directories. For files,
Read/write DACs are always overridable but executable
DACs are overridable when there is at least one exec bit
set.

The files and directory DACS overriding were handled the
same way for root which is incorrect. This patch fixes
DACs overriding as described above for the root.

Fixes: https://tracker.ceph.com/issues/55313
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit 2e1f43c99b1818c2ffde64f5b01083c1907a9f87)
---
 .../permission/tasks/cfuse_workunit_misc.yaml |  1 +
 qa/workunits/fs/misc/dac_override.sh          | 19 +++++++++++++++++++
 src/client/Client.cc                          |  6 ++++--
 3 files changed, 24 insertions(+), 2 deletions(-)
 create mode 100755 qa/workunits/fs/misc/dac_override.sh

diff --git a/qa/suites/fs/permission/tasks/cfuse_workunit_misc.yaml b/qa/suites/fs/permission/tasks/cfuse_workunit_misc.yaml
index 6ff6195bfb473..ca026c45ff1ec 100644
--- a/qa/suites/fs/permission/tasks/cfuse_workunit_misc.yaml
+++ b/qa/suites/fs/permission/tasks/cfuse_workunit_misc.yaml
@@ -9,3 +9,4 @@ tasks:
       all:
         - fs/misc/acl.sh
         - fs/misc/chmod.sh
+        - fs/misc/dac_override.sh
diff --git a/qa/workunits/fs/misc/dac_override.sh b/qa/workunits/fs/misc/dac_override.sh
new file mode 100755
index 0000000000000..dfb1a909128da
--- /dev/null
+++ b/qa/workunits/fs/misc/dac_override.sh
@@ -0,0 +1,19 @@
+#!/bin/sh -x
+
+expect_failure() {
+	if "$@"; then return 1; else return 0; fi
+}
+
+set -e
+
+mkdir -p testdir
+file=test_chmod.$$
+
+echo "foo" > testdir/${file}
+sudo chmod 600 testdir
+
+# only root can read
+expect_failure cat testdir/${file}
+
+# directory read/write DAC override for root should allow read
+sudo cat testdir/${file}
diff --git a/src/client/Client.cc b/src/client/Client.cc
index 1250249b65c0b..86b1bb7fe881f 100644
--- a/src/client/Client.cc
+++ b/src/client/Client.cc
@@ -5615,8 +5615,10 @@ void Client::handle_cap_grant(MetaSession *session, Inode *in, Cap *cap, const M
 int Client::inode_permission(Inode *in, const UserPerm& perms, unsigned want)
 {
   if (perms.uid() == 0) {
-    // Executable are overridable when there is at least one exec bit set
-    if((want & MAY_EXEC) && !(in->mode & S_IXUGO))
+    // For directories, DACs are overridable.
+    // For files, Read/write DACs are always overridable but executable DACs are
+    // overridable when there is at least one exec bit set
+    if(!S_ISDIR(in->mode) && (want & MAY_EXEC) && !(in->mode & S_IXUGO))
       return -CEPHFS_EACCES;
     return 0;
   }
-- 
2.39.5