summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSteve French <sfrench@us.ibm.com>2007-11-02 03:30:35 +0100
committerAdrian Bunk <bunk@kernel.org>2007-11-02 03:30:35 +0100
commitda8262844e325cc9361114c55e8507c1fee54941 (patch)
tree2ddc91fece4fe22597c9171b8d666dc54a23ecb7
parentc515d9db76c3fe82243677ecfbff559d05f9e852 (diff)
CIFS should honour umask (CVE-2007-3740)
This patch makes CIFS honour a process' umask like other filesystems. Of course the server is still free to munge the permissions if it wants to; but the client will send the "right" permissions to begin with. A few caveats: 1) It only applies to filesystems that have CAP_UNIX (aka support unix extensions) 2) It applies the correct mode to the follow up CIFSSMBUnixSetPerms() after remote creation When mode to CIFS/NTFS ACL mapping is complete we can do the same thing for that case for servers which do not support the Unix Extensions. Signed-off-by: Matt Keenen <matt@opcode-solutions.com> Signed-off-by: Steve French <sfrench@us.ibm.com> Signed-off-by: Adrian Bunk <bunk@kernel.org>
-rw-r--r--fs/cifs/dir.c6
-rw-r--r--fs/cifs/inode.c5
2 files changed, 7 insertions, 4 deletions
diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
index 749d6fb488e2..b1bc91cb98a0 100644
--- a/fs/cifs/dir.c
+++ b/fs/cifs/dir.c
@@ -198,7 +198,8 @@ cifs_create(struct inode *inode, struct dentry *direntry, int mode,
/* If Open reported that we actually created a file
then we now have to set the mode if possible */
if ((cifs_sb->tcon->ses->capabilities & CAP_UNIX) &&
- (oplock & CIFS_CREATE_ACTION))
+ (oplock & CIFS_CREATE_ACTION)) {
+ mode &= ~current->fs->umask;
if(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_SET_UID) {
CIFSSMBUnixSetPerms(xid, pTcon, full_path, mode,
(__u64)current->fsuid,
@@ -216,7 +217,7 @@ cifs_create(struct inode *inode, struct dentry *direntry, int mode,
cifs_sb->mnt_cifs_flags &
CIFS_MOUNT_MAP_SPECIAL_CHR);
}
- else {
+ } else {
/* BB implement mode setting via Windows security descriptors */
/* eg CIFSSMBWinSetPerms(xid,pTcon,full_path,mode,-1,-1,local_nls);*/
/* could set r/o dos attribute if mode & 0222 == 0 */
@@ -324,6 +325,7 @@ int cifs_mknod(struct inode *inode, struct dentry *direntry, int mode,
if(full_path == NULL)
rc = -ENOMEM;
else if (pTcon->ses->capabilities & CAP_UNIX) {
+ mode &= ~current->fs->umask;
if(cifs_sb->mnt_cifs_flags & CIFS_MOUNT_SET_UID) {
rc = CIFSSMBUnixSetPerms(xid, pTcon, full_path,
mode,(__u64)current->fsuid,(__u64)current->fsgid,
diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
index f94b411f78b8..e63079d71b07 100644
--- a/fs/cifs/inode.c
+++ b/fs/cifs/inode.c
@@ -752,7 +752,8 @@ int cifs_mkdir(struct inode *inode, struct dentry *direntry, int mode)
d_instantiate(direntry, newinode);
if (direntry->d_inode)
direntry->d_inode->i_nlink = 2;
- if (cifs_sb->tcon->ses->capabilities & CAP_UNIX)
+ if (cifs_sb->tcon->ses->capabilities & CAP_UNIX) {
+ mode &= ~current->fs->umask;
if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_SET_UID) {
CIFSSMBUnixSetPerms(xid, pTcon, full_path,
mode,
@@ -770,7 +771,7 @@ int cifs_mkdir(struct inode *inode, struct dentry *direntry, int mode)
cifs_sb->mnt_cifs_flags &
CIFS_MOUNT_MAP_SPECIAL_CHR);
}
- else {
+ } else {
/* BB to be implemented via Windows secrty descriptors
eg CIFSSMBWinSetPerms(xid, pTcon, full_path, mode,
-1, -1, local_nls); */