Unrestricted chown: adds "unrestricted_chown" mount option. Add a new unrestricted_chown mount option to the VFS. This option is used to disable the Posix _POSIX_CHOWN_RESTRICTED chown option on a given filesystem which forbids non-privilegued users to give away files. This is currently implemented by XFS as a sysctl, but making it per filesystem and available not just for XFS makes more sense. This has also been requested in http://oss.sgi.com/bugzilla/show_bug.cgi?id=768. See http://www.opengroup.org/onlinepubs/009695399/functions/chown.html for details. A patch to util-linux-ng to add the new mount option is also beeing submitted. This patch is on top of 2.6.28-rc5. Signed-off-by: Niraj Kumar <niraj17@xxxxxxxxx> diff --git a/fs/attr.c b/fs/attr.c index 7a83819..4547563 100644 --- a/fs/attr.c +++ b/fs/attr.c @@ -30,15 +30,27 @@ int inode_change_ok(struct inode *inode, struct iattr *attr) /* Make sure a caller can chown. */ if ((ia_valid & ATTR_UID) && (current->fsuid != inode->i_uid || - attr->ia_uid != inode->i_uid) && !capable(CAP_CHOWN)) - goto error; + attr->ia_uid != inode->i_uid) && !capable(CAP_CHOWN)) { + /* if "unrestricted_chown" is set, make sure owner can chown */ + if (!((inode->i_sb->s_flags & MS_UNRESTRICTED_CHOWN) && + (current->fsuid == inode->i_uid))) + goto error; + } /* Make sure caller can chgrp. */ if ((ia_valid & ATTR_GID) && (current->fsuid != inode->i_uid || (!in_group_p(attr->ia_gid) && attr->ia_gid != inode->i_gid)) && - !capable(CAP_CHOWN)) - goto error; + !capable(CAP_CHOWN)) { + /* + * if "unrestricted_chown" is set, make sure the owner can + * change the group id only if he is a member of that group. + */ + if (!((inode->i_sb->s_flags & MS_UNRESTRICTED_CHOWN) && + (current->fsuid == inode->i_uid && + in_group_p(attr->ia_gid)))) + goto error; + } /* Make sure a caller can chmod. */ if (ia_valid & ATTR_MODE) { diff --git a/fs/namespace.c b/fs/namespace.c index 65b3dc8..3da02c3 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -757,6 +757,7 @@ static int show_sb_opts(struct seq_file *m, struct super_block *sb) { MS_SYNCHRONOUS, ",sync" }, { MS_DIRSYNC, ",dirsync" }, { MS_MANDLOCK, ",mand" }, + { MS_UNRESTRICTED_CHOWN, ",unrestricted_chown" }, { 0, NULL } }; const struct proc_fs_info *fs_infop; diff --git a/include/linux/fs.h b/include/linux/fs.h index 0dcdd94..090697b 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -119,6 +119,7 @@ extern int dir_notify_enable; #define MS_REMOUNT 32 /* Alter flags of a mounted FS */ #define MS_MANDLOCK 64 /* Allow mandatory locks on an FS */ #define MS_DIRSYNC 128 /* Directory modifications are synchronous */ +#define MS_UNRESTRICTED_CHOWN 256 /* Unrestricted chown */ #define MS_NOATIME 1024 /* Do not update access times. */ #define MS_NODIRATIME 2048 /* Do not update directory access times */ #define MS_BIND 4096 @@ -141,7 +142,8 @@ extern int dir_notify_enable; /* * Superblock flags that can be altered by MS_REMOUNT */ -#define MS_RMT_MASK (MS_RDONLY|MS_SYNCHRONOUS|MS_MANDLOCK|MS_I_VERSION) +#define MS_RMT_MASK (MS_RDONLY|MS_SYNCHRONOUS|MS_MANDLOCK|MS_I_VERSION|\ + MS_UNRESTRICTED_CHOWN) /* * Old magic mount flag and mask -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html