Subversion Repositories livecd

Rev

Rev 36 | Blame | Compare with Previous | Last modification | View Log | Download | RSS feed

diff -ur unionfs-1.1.5.ori/inode.c unionfs-1.1.5/inode.c
--- unionfs-1.1.5.ori/inode.c   2006-06-12 04:03:36.000000000 +0200
+++ unionfs-1.1.5/inode.c       2006-08-30 08:48:02.000000000 +0200
@@ -867,8 +867,43 @@
                retval = generic_permission(inode, submask, NULL);
 #endif
        }
-       
-       if (retval && retval != -EROFS) /* ignore EROFS */
+
+       /* XXX jg
+        * Ignore EROFS but still perform the DAC check.
+        * This block of code added to work around RHEL 4 U3 problem
+        * Where all permission checks would return EROFS on readonly 
+        * file system, and then be converted to 0 below.  The 
+        * result was anyone could write to any file before copyup!
+        * Code mostly lifted from fs/namei.c::vfs_permission().
+        */
+       if (retval == -EROFS) { 
+               umode_t mode = inode->i_mode;
+
+               BUG_ON(bindex == 0); /* handled above */
+               if (current->fsuid == inode->i_uid)
+                       mode >>= 6;
+               else if (in_group_p(inode->i_gid))
+                       mode >>= 3;
+               if (((mode & mask & (MAY_READ|MAY_WRITE|MAY_EXEC)) == mask)) {
+                       retval = 0;
+                       goto out;
+               }
+               if (!(mask & MAY_EXEC) ||
+                   (inode->i_mode & S_IXUGO) || S_ISDIR(inode->i_mode))
+                       if (capable(CAP_DAC_OVERRIDE)) {
+                               retval = 0;
+                               goto out;
+                       }
+               if (mask == MAY_READ || 
+                   (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))
+                       if (capable(CAP_DAC_READ_SEARCH)) {
+                               retval = 0;
+                               goto out;
+                       }
+               retval = -EACCES;
+       }
+out:
+               if (retval && retval != -EROFS) /* ignore EROFS */
                return retval;
 
        retval = security_inode_permission(inode, mask, nd);