The function inode_change_ok() in fs/attr.c should verify that only a
person who owns a given file (or has CAP_CHOWN) is allowed to change
the file's group. However, that check is *missing*, theoretically
allowing files' groups to be changed inappropriately. Oops!
Also, a bit of overly restrictive code that hides this first problem
for ext2 filesystems appears in ext2_notify_change().
The below patch rectifies these errors. I suggest that it be included
in 2.2.11. It may be appropriate for 2.3.x also, I don't know.
Index: fs/attr.c
*************** int inode_change_ok(struct inode *inode,
*** 24,34 ****
/* Make sure a caller can chown. */
if ((ia_valid & ATTR_UID) &&
! (current->fsuid != inode->i_uid ||
! attr->ia_uid != inode->i_uid) && !capable(CAP_CHOWN))
goto error;
/* Make sure caller can chgrp. */
if ((ia_valid & ATTR_GID) &&
! (!in_group_p(attr->ia_gid) && attr->ia_gid != inode->i_gid) &&
!capable(CAP_CHOWN))
goto error;
--- 24,37 ----
/* Make sure a caller can chown. */
if ((ia_valid & ATTR_UID) &&
! attr->ia_uid != inode->i_uid &&
! (current->fsuid != inode->i_uid && !capable(CAP_FOWNER)) &&
! !capable(CAP_CHOWN))
goto error;
/* Make sure caller can chgrp. */
if ((ia_valid & ATTR_GID) &&
! attr->ia_gid != inode->i_gid &&
! (current->fsuid != inode->i_uid && !capable(CAP_FOWNER)) &&
! !in_group_p(attr->ia_gid) && /* no CAP_FGROUP? Why? */
!capable(CAP_CHOWN))
goto error;
Index: fs/ext2/inode.c
*************** int ext2_notify_change(struct dentry *de
*** 715,720 ****
if (!capable(CAP_LINUX_IMMUTABLE))
goto out;
! } else if ((current->fsuid != inode->i_uid) && !capable(CAP_FOWNER))
! goto out;
if (iattr->ia_valid & ATTR_SIZE) {
--- 715,719 ----
if (!capable(CAP_LINUX_IMMUTABLE))
goto out;
! }
if (iattr->ia_valid & ATTR_SIZE) {
-- Chip Salzenberg - a.k.a. - <chip@perlsupport.com> "When do you work?" "Whenever I'm not busy."- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/