Skipping full file ACL checks without no Group permissions causes we
can't deny access from specific users or groups which we ban according
ACL_USER, ACL_GROUP and ACL_MASK rules, because they may pass due to
Other permissions.
Example:
date > test_file
setfacl -m u:1000:rwx,g:2000:rwx,u::rwx,g::rwx,o::rwx,m::0 test_file
capsh --groups=1000 --gid=1000 --uid=1000 -- -c "cat test_file"
capsh --groups=2000 --gid=2000 --uid=2000 -- -c "cat test_file"
Signed-off-by: Wang Boshi <wangboshi@xxxxxxxxxx>
---
fs/namei.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/namei.c b/fs/namei.c
index 578c2110df02..d5772a31b5fc 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -347,7 +347,7 @@ static int acl_permission_check(struct user_namespace *mnt_userns,
}
/* Do we have ACL's? */
- if (IS_POSIXACL(inode) && (mode & S_IRWXG)) {
+ if (IS_POSIXACL(inode)) {
int error = check_acl(mnt_userns, inode, mask);
if (error != -EAGAIN)
return error;
--
2.29.2
