Hi again, I played around a bit with permissions and OverlayFS and found the following general odd behavior. When caches are empty and access permissions are checked, the upper layer is checked first and if that passes, the lower layer is checked next. Apart from the fact that some positive check results are cached regardless of the accessing UID, it seems that the checking procedure itself is wrong. Take the following example: in the lower directory there's a directory foo with permissions 0700, containing some world-readable file. In the upper layer, the same directory foo exists but with permissions 0755. drwxr-xr-x lower/ drwx------ lower/foo/ -rw-r--r-- lower/foo/bar drwxr-xr-x upper/ drwxr-xr-x upper/foo/ This situation would happen after the permissions of foo are changed from 0700 to 0755 in the overlay directory. Then when permissions are checked for access to that file in foo, the permissions of foo in the lower directory should be ignored in favor of the permissions of foo in the upper directory. In other words, as the documentation of OverlayFS itself puts it: "Only the lists of names from directories are merged. Other content such as metadata and extended attributes are reported for the upper directory only. These attributes of the lower directory are hidden." As I understand it, as soon as upper/foo exists its permissions should completely override those of lower/foo. This is obviously actually not the case as anyone not allowed to read lower/foo/bar who tries to read foo/bar from the overlay when the caches are empty is actually denied access. Cheers, Ignacy -- Ignacy Gawędzki R&D Engineer Green Communications -- To unsubscribe from this list: send the line "unsubscribe linux-unionfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
