On Wed, Jan 04, 2023 at 11:53:56AM +0100, Miklos Szeredi wrote:
> On Wed, 4 Jan 2023 at 11:09, Christian Brauner <brauner@xxxxxxxxxx> wrote:
> >
> > Over mutiple kernel releases we have reworked setgid inheritance
> > significantly due to long-standing security issues, security issues that
> > were reintroduced after they were fixed, and the subtle and difficult
> > inheritance rules that plagued individual filesystems. We have lifted
> > setgid inheritance into the VFS proper in earlier patches. Starting with
> > kernel v6.2 we have made setgid inheritance consistent between the write
> > and setattr (ch{mod,own}) paths.
> >
> > The gist of the requirement is that in order to inherit the setgid bit
> > the user needs to be in the group of the file or have CAP_FSETID in
> > their user namespace. Otherwise the setgid bit will be dropped
> > irregardless of the file's executability. Change the tests accordingly
> > and annotate them with the commits that changed the behavior.
> >
> > Note, that only with v6.2 setgid inheritance works correctly for
> > overlayfs in the write path. Before this the setgid bit was always
> > retained.
>
> Shouldn't the test ignore sgid without group execute instead? It's
> not a security issue and expecting a certain value is not going to
> help find real issues (e.g. in old distro kernels, where this test
> will now start failing).
Yeah, I would be fine with just leaving the group-exec and all-exec
tests 10 and 12 and dropping tests 9 and 11.
>
> Yeah, doing that is more involved, but I do believe that it would be
> the right way to go.
Just asking so I'm not missing a subtlety you're thinking of: why would
this be more involved? Seems easier to me even.
