On Wed, Nov 20, 2019 at 7:41 AM <hubcap@xxxxxxxxxx> wrote:
>
> From: Mike Marshall <hubcap@xxxxxxxxxxxx>
>
> Orangefs doesn't have an open function. Orangefs performs
> permission checks on files each time they are accessed.
This is completely broken, and your fix doesn't even fix the brokenness.
Giving a user access rights as a workaround for the breakage is wrong,
and has nothing at all to do with POSIX. It just breaks things even
more in other ways - now you open other processes to re-open the file
when they really really shouldn't be able to. So your "fix" is quite
possibly a security issue.
Also, the much more common case - that your patch doesn't fix - is
that a file is opened with one set of credentials, and then used with
another set entirely. Trying to use some kind of ACL to say "original
opener can write to this" is wrong, and doesn't fix that.
For example, the file may be opened by root, and then root drops all
privileges and reverts to the original user. The file should still be
writable, even though the UID changed.
(Another case of that is to just transfer the fd over unix domain
sockets to a different process entirely, but that is much more
unusual).
The fact is, permission checks at the time of access are simply
*wrong*. They cannot work. No amount of "give the file a fake ACL"
will ever make it work.
The permission checks are done at open time. After that, they are
simply not done. That's the POSIX model.
Linus
