[PATCH] s3: Allow stat call with capability in vfs_gpfs

Abhidnya S Joshi achirmul at in.ibm.com
Sun Dec 15 22:10:48 MST 2013 

Hi Volker, Christof,

Please find attached patches taking care of below suggestions.

 

Please let me know your comments

Thanks and Regards
Abhidnya

Volker Lendecke <Volker.Lendecke at sernet.de> wrote on 11/26/2013 10:59:55 
AM:

> From: Volker Lendecke <Volker.Lendecke at sernet.de>
> To: Christof Schmitt <cs at samba.org>, 
> Cc: Abhidnya S Joshi/India/IBM at IBMIN, samba-technical at samba.org
> Date: 11/26/2013 10:59 AM
> Subject: Re: [PATCH] s3: Allow stat call with capability in vfs_gpfs
> 
> On Fri, Nov 08, 2013 at 02:13:34PM -0700, Christof Schmitt wrote:
> > From: Abhidnya Joshi <achirmul at in.ibm.com>
> > 
> > stat call will not succeed if READ_ATTR (nfsv4 perm) is not allowed in
> > GPFS but will succeed in NTFS.
> 
> To be honest, I don't like this. CAP_DAC_OVERRIDE is really
> strong and this patch does not distinguish between the
> READ_ATTR case you mention and general, legitimate EACCES
> where we really don't have the access bits somewhere in the
> path.
> 
> I'd feel better if you could open the directory part of the
> file name in question without the capability and then only
> do an fstatat with the cap. On older systems without fstatat
> you might go the racy route and do a stat on "." within the
> directory without the capability and only if that works do
> the stat with the capability.
> 
> I'd also like to get some more comments here from people
> with more security background.
> 
> Also, can you split up adding the OVERRIDE and using it in
> the GPFS module into two patches?
> 
> Thanks,
> 
> Volker
> 
> -- 
> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> phone: +49-551-370000-0, fax: +49-551-370000-9
> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
> http://www.sernet.de, mailto:kontakt at sernet.de
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s3-Add-DAC_OVERRIDE-capability-support.patch
Type: application/octet-stream
Size: 1169 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131216/27e9b255/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-s3-Handle-stat-call-with-capability-in-vfs_gpfs.patch
Type: application/octet-stream
Size: 2404 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20131216/27e9b255/attachment-0001.obj>

More information about the samba-technical mailing list