Re: [PATCH v2] generic: update setgid tests

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jan 04, 2023 at 11:53:56AM +0100, Miklos Szeredi wrote:
> On Wed, 4 Jan 2023 at 11:09, Christian Brauner <brauner@xxxxxxxxxx> wrote:
> >
> > Over mutiple kernel releases we have reworked setgid inheritance
> > significantly due to long-standing security issues, security issues that
> > were reintroduced after they were fixed, and the subtle and difficult
> > inheritance rules that plagued individual filesystems. We have lifted
> > setgid inheritance into the VFS proper in earlier patches. Starting with
> > kernel v6.2 we have made setgid inheritance consistent between the write
> > and setattr (ch{mod,own}) paths.
> >
> > The gist of the requirement is that in order to inherit the setgid bit
> > the user needs to be in the group of the file or have CAP_FSETID in
> > their user namespace. Otherwise the setgid bit will be dropped
> > irregardless of the file's executability. Change the tests accordingly
> > and annotate them with the commits that changed the behavior.
> >
> > Note, that only with v6.2 setgid inheritance works correctly for
> > overlayfs in the write path. Before this the setgid bit was always
> > retained.
> 
> Shouldn't the test ignore sgid without group execute instead?   It's
> not a security issue and expecting a certain value is not going to
> help find real issues (e.g. in old distro kernels, where this test
> will now start failing).

Yeah, I would be fine with just leaving the group-exec and all-exec
tests 10 and 12 and dropping tests 9 and 11.

> 
> Yeah, doing that is more involved, but I do believe that it would be
> the right way to go.

Just asking so I'm not missing a subtlety you're thinking of: why would
this be more involved? Seems easier to me even.



[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux