Commit 939a9421 authored by Amerigo Wang's avatar Amerigo Wang Committed by James Morris
Browse files

vfs: allow file truncations when both suid and write permissions set 



When suid is set and the non-owner user has write permission, any writing
into this file should be allowed and suid should be removed after that.

However, current kernel only allows writing without truncations, when we
do truncations on that file, we get EPERM.  This is a bug.

Steps to reproduce this bug:

% ls -l rootdir/file1
-rwsrwsrwx 1 root root 3 Jun 25 15:42 rootdir/file1
% echo h > rootdir/file1
zsh: operation not permitted: rootdir/file1
% ls -l rootdir/file1
-rwsrwsrwx 1 root root 3 Jun 25 15:42 rootdir/file1
% echo h >> rootdir/file1
% ls -l rootdir/file1
-rwxrwxrwx 1 root root 5 Jun 25 16:34 rootdir/file1

Signed-off-by: default avatarWANG Cong <amwang@redhat.com>
Cc: Eric Sandeen <esandeen@redhat.com>
Acked-by: default avatarEric Paris <eparis@redhat.com>
Cc: Eugene Teo <eteo@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent bc6a6008

fs/open.c

+6 −4
Original line number Diff line number Diff line
@@ -199,7 +199,7 @@ out: 
int do_truncate(struct dentry *dentry, loff_t length, unsigned int time_attrs,

	struct file *filp)

{

	int err;

	int ret;

	struct iattr newattrs;



	/* Not pretty: "inode->i_size" shouldn't really be signed. But it is. */
@@ -214,12 +214,14 @@ int do_truncate(struct dentry *dentry, loff_t length, unsigned int time_attrs, 
	}



	/* Remove suid/sgid on truncate too */

	newattrs.ia_valid |= should_remove_suid(dentry);

	ret = should_remove_suid(dentry);

	if (ret)

		newattrs.ia_valid |= ret | ATTR_FORCE;



	mutex_lock(&dentry->d_inode->i_mutex);

	err = notify_change(dentry, &newattrs);

	ret = notify_change(dentry, &newattrs);

	mutex_unlock(&dentry->d_inode->i_mutex);

	return err;

	return ret;

}



static long do_sys_truncate(const char __user *pathname, loff_t length)

CRA Git | Maintained and supported by SUSTech CRA and CCSE