git.openafs.org Git - openafs.git/commit

author	Andrew Deason <adeason@sinenomine.net>
	Fri, 13 Mar 2020 18:00:35 +0000 (13:00 -0500)
committer	Benjamin Kaduk <kaduk@mit.edu>
	Fri, 13 Mar 2020 19:28:31 +0000 (15:28 -0400)
commit	57b4f4f9be1e25d5609301c10f717aff32aef676
tree	ad150e43d1a42bc9015799111fd1984c260935a0	tree \| snapshot
parent	a0071a30d532520e51262c3b6c194659e95bf389	commit \| diff

LINUX: Properly revert creds in osi_UFSTruncate

Commit cd3221d3 (Linux: use override_creds when available) caused us
to force the current process's creds to the creds of afsd during
osi_file.c file ops, to avoid access errors in some cases.

However, in osi_UFSTruncate, one code path was missed to revert our
creds back to the original user's creds: when the afs_osi_Stat call
fails or deems the truncate unnecessary. In this case, the calling
process keeps the creds for afsd after osi_UFSTruncate returns,
causing our subsequent access-checking code to think that the current
process is in the same context as afsd (typically uid 0 without a
pag).

This can cause the calling process to appear to transiently have the
same access as non-pag uid 0; typically this will be unauthenticated
access, but could be authenticated if uid 0 has tokens.

To fix this, modify the early return in osi_UFSTruncate to go through
a 'goto done' destructor instead, and make sure we revert our creds in
that destructor.

Thanks to cwills@sinenomine.net for finding and helping reproduce the
issue.

Change-Id: I6820af675edcb7aa00542ba40fc52430d68c05e8
Reviewed-on: https://gerrit.openafs.org/14098
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Reviewed-by: Jeffrey Hutzelman <jhutz@cmu.edu>
Reviewed-by: Cheyenne Wills <cwills@sinenomine.net>
Tested-by: Cheyenne Wills <cwills@sinenomine.net>