From owner-cvs-all@FreeBSD.ORG Wed Dec 13 17:33:54 2006 Return-Path: X-Original-To: cvs-all@freebsd.org Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 67F9516A416; Wed, 13 Dec 2006 17:33:54 +0000 (UTC) (envelope-from bde@zeta.org.au) Received: from mailout2.pacific.net.au (mailout2-3.pacific.net.au [61.8.2.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0E0D43CD0; Wed, 13 Dec 2006 17:31:56 +0000 (GMT) (envelope-from bde@zeta.org.au) Received: from mailproxy2.pacific.net.au (mailproxy2.pacific.net.au [61.8.2.163]) by mailout2.pacific.net.au (Postfix) with ESMTP id 015B5111382; Thu, 14 Dec 2006 04:32:44 +1100 (EST) Received: from besplex.bde.org (katana.zip.com.au [61.8.7.246]) by mailproxy2.pacific.net.au (Postfix) with ESMTP id BAB5227407; Thu, 14 Dec 2006 04:32:43 +1100 (EST) Date: Thu, 14 Dec 2006 04:32:43 +1100 (EST) From: Bruce Evans X-X-Sender: bde@besplex.bde.org To: Pawel Jakub Dawidek In-Reply-To: <20061213160444.GE793@garage.freebsd.pl> Message-ID: <20061214031601.F1578@besplex.bde.org> References: <200612131146.kBDBkdQv050907@repoman.freebsd.org> <20061214011927.X994@besplex.bde.org> <20061213160444.GE793@garage.freebsd.pl> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: cvs-src@freebsd.org, src-committers@freebsd.org, cvs-all@freebsd.org Subject: Re: cvs commit: src/lib/libc/sys chown.2 X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Dec 2006 17:33:54 -0000 On Wed, 13 Dec 2006, Pawel Jakub Dawidek wrote: > On Thu, Dec 14, 2006 at 02:31:52AM +1100, Bruce Evans wrote: >> On Wed, 13 Dec 2006, Pawel Jakub Dawidek wrote: >> >>> pjd 2006-12-13 11:46:38 UTC >>> >>> FreeBSD src repository >>> >>> Modified files: >>> lib/libc/sys chown.2 >>> Log: >>> Be more precise with EPERM description. When chown(2) is a no-op, it will >>> return 0. >> >> VADMIN access is still required for null changes. This normally means >> that the the caller must own the file, but there are complications for >> ACLs. [...] > > Right, my testing wasn't precise. > > But still, if I pass uid=-1 and gid=-1 it works always (I don't have to > have VADMIN access). I forget about these. They are magic and mean "don't change, and (?) succeed in some permisions checks based on ids". Hmm, their operation is tricky: First, the -1's are excessively magic. They just happen to be identical to VNOVAL when converted to ids. setfown() depends on this when it copies the userland values to vattr. This isn't a problem in practice of course -- VNOVAL is the same magic -1. When both ids are VNOVAL, the VOP_SETATTR() call is already null and doesn't do anything (for ffs, it doesn't even call ufs_chown()). POSIX allows it to either update or not update the ctime, but I think allowing the update is a bug in POSIX -- it lets anyone clobber the ctime of any file, at least with my interpretation of null changes to gids. When at least one id is not VNOVAL, for ffs ufs_chown() is called and it does the VADMIN check after replacing uid == VNOVAL with the file uid. This prevents further problems. In this case, POSIX requires the ctime to be be marked for update even for null changes, and FreeBSD implements this. The VADMIN check prevents anyone clobbering ctime of any file using this type of null change. >> The details for this are hard to describe. They are at least as complicated >> as: >> - the effective uid must be the super-user, unless all of the following: >> . it is the same as the file's uid, or [complications for ACLs] >> . the change to the uids of the file is null >> . [permission is never granted based solely on the egid-- check this] >> . the change to the gids is either null or the new file gid is in the >> same group as the egid. >> . [nothing is required or the old file gid -- check this] >> I used fine print in POSIX to justify permitting null changes to the >> gid. FreeBSD-1 doesn't allow this. My reasoning was something like >> "non-null changes (from a gid not in our group to one in our group) >> are permitted (if euid == old file uid == new file uid), so why disallow >> null changes? The uid checks should be sufficient." McKusick agreed >> with this. > > Do you have a suggestion how we can describe it properly? Write your regression tests for all cases first :-). Check POSIX. I'm too tired to understand the details that POSIX gives now. It gives more details than I remember, and still requires a subtle interpretation of "change" as "non-null change" to permit certain null changes of gids. Bruce