[Acl-Devel] No extended attributes for sticky directories? (and samba)
Andreas Gruenbacher
agruen at suse.de
Thu Nov 2 17:18:08 CET 2006
Gerard,
On Thursday 26 October 2006 17:08, Dave Kleikamp wrote:
> On Thu, 2006-10-26 at 01:14 +1000, Gerard Neil wrote:
> > Hello,
> >
> > I have some queries about permissions for extended attributes in the
> > user.* namespace on sticky directories.
> >
> > The documented behaviour (from attr(5)) is that "access to extended
> > user attributes is restricted to the owner and to users with
> > appropriate capabilities for directories with the sticky bit set".
> >
> > I did some digging and I understand why write access to extended
> > attributes needs to be restricted on mode 1777 directories like /tmp.
> > Fair enough, there's a potential DoS otherwise.
> >
> > What I don't understand is the current behaviour under linux (I'm
> > looking at current stable tree 2.6.18.1). The vfs code in fs/xattr.c
> > prevents *all* read or write access to extended attributes for sticky
> > directories, for *all* users (including root).
>
> I agree that this looks wrong.
Indeed, yes. The xfs code has it right, and the patch is good. I'll fix the
two typos in the comment above in the same go, and push the resulting patch
(attached) upstream. Thanks for your help!
> The patch looks good to me. Rather than fix jfs in a similar manner,
> just leave it alone, and I'll patch jfs to remove the redundant
> permission checking and rely on the vfs.
Ack.
Cheers,
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: user-xattr-sticky-fix.diff
Type: text/x-diff
Size: 1844 bytes
Desc: not available
Url : http://acl.bestbits.at/pipermail/acl-devel/attachments/20061102/fb5a5688/attachment.bin
More information about the acl-devel
mailing list