git.kernelconcepts.de Git - karo-tx-linux.git/commit

author	Jeff Mahoney <jeffm@suse.com>
	Fri, 23 Apr 2010 17:17:37 +0000 (13:17 -0400)
committer	Greg Kroah-Hartman <gregkh@suse.de>
	Wed, 12 May 2010 21:57:01 +0000 (14:57 -0700)
commit	aab06bd25fa245a3475c35f8934e1e810d6ca8f8
tree	1881fb08ef4aa772e12e506eb0586c6e9465a37f	tree \| snapshot
parent	a988a1781479b17237042f9fa08bfe552fe592b0	commit \| diff

reiserfs: fix permissions on .reiserfs_priv

commit cac36f707119b792b2396aed371d6b5cdc194890 upstream.

Commit 677c9b2e393a0cd203bd54e9c18b012b2c73305a ("reiserfs: remove
privroot hiding in lookup") removed the magic from the lookup code to hide
the .reiserfs_priv directory since it was getting loaded at mount-time
instead.  The intent was that the entry would be hidden from the user via
a poisoned d_compare, but this was faulty.

This introduced a security issue where unprivileged users could access and
modify extended attributes or ACLs belonging to other users, including
root.

This patch resolves the issue by properly hiding .reiserfs_priv.  This was
the intent of the xattr poisoning code, but it appears to have never
worked as expected.  This is fixed by using d_revalidate instead of
d_compare.

This patch makes -oexpose_privroot a no-op.  I'm fine leaving it this way.
The effort involved in working out the corner cases wrt permissions and
caching outweigh the benefit of the feature.

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-by: Edward Shishkin <edward.shishkin@gmail.com>
Reported-by: Matt McCutchen <matt@mattmccutchen.net>
Tested-by: Matt McCutchen <matt@mattmccutchen.net>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

fs/reiserfs/dir.c		diff \| blob \| history
fs/reiserfs/xattr.c		diff \| blob \| history