• Eric W. Biederman's avatar
    UBUNTU: SAUCE: (namespace) fs: Allow superblock owner to change ownership of inodes · 07053c83
    Eric W. Biederman authored
    BugLink: http://bugs.launchpad.net/bugs/1634964
    
    Allow users with CAP_SYS_CHOWN over the superblock of a filesystem to
    chown files.  Ordinarily the capable_wrt_inode_uidgid check is
    sufficient to allow access to files but when the underlying filesystem
    has uids or gids that don't map to the current user namespace it is
    not enough, so the chown permission checks need to be extended to
    allow this case.
    
    Calling chown on filesystem nodes whose uid or gid don't map is
    necessary if those nodes are going to be modified as writing back
    inodes which contain uids or gids that don't map is likely to cause
    filesystem corruption of the uid or gid fields.
    
    Once chown has been called the existing capable_wrt_inode_uidgid
    checks are sufficient, to allow the owner of a superblock to do anything
    the global root user can do with an appropriate set of capabilities.
    
    For the proc filesystem this relaxation of permissions is not safe, as
    some files are owned by users (particularly GLOBAL_ROOT_UID) outside
    of the control of the mounter of the proc and that would be unsafe to
    grant chown access to.  So update setattr on proc to disallow changing
    files whose uids or gids are outside of proc's s_user_ns.
    
    The original version of this patch was written by: Seth Forshee.  I
    have rewritten and rethought this patch enough so it's really not the
    same thing (certainly it needs a different description), but he
    deserves credit for getting out there and getting the conversation
    started, and finding the potential gotcha's and putting up with my
    semi-paranoid feedback.
    Inspired-by: default avatarSeth Forshee <seth.forshee@canonical.com>
    Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
    Signed-off-by: default avatarSeth Forshee <seth.forshee@canonical.com>
    Acked-by: default avatarTim Gardner <tim.gardner@canonical.com>
    Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
    07053c83
base.c 79.7 KB