[vhffs-dev] [1596] ported TF kernel patch to 2.6.33.2, improved patch to clear many modes on files and directories |
[ Thread Index |
Date Index
| More vhffs.org/vhffs-dev Archives
]
- To: vhffs-dev@xxxxxxxxx
- Subject: [vhffs-dev] [1596] ported TF kernel patch to 2.6.33.2, improved patch to clear many modes on files and directories
- From: subversion@xxxxxxxxxxxxx
- Date: Tue, 13 Apr 2010 00:10:01 +0200
Revision: 1596
Author: gradator
Date: 2010-04-13 00:10:01 +0200 (Tue, 13 Apr 2010)
Log Message:
-----------
ported TF kernel patch to 2.6.33.2, improved patch to clear many modes on files and directories
Added Paths:
-----------
trunk/vhffs-packages/patches/tfsyscall/tfsyscall-0.2.0-2.6.33.2.patch
trunk/vhffs-packages/patches/tfsyscall/tfsyscall-0.2.1-2.6.33.2.patch
Added: trunk/vhffs-packages/patches/tfsyscall/tfsyscall-0.2.0-2.6.33.2.patch
===================================================================
--- trunk/vhffs-packages/patches/tfsyscall/tfsyscall-0.2.0-2.6.33.2.patch (rev 0)
+++ trunk/vhffs-packages/patches/tfsyscall/tfsyscall-0.2.0-2.6.33.2.patch 2010-04-12 22:10:01 UTC (rev 1596)
@@ -0,0 +1,123 @@
+diff -Nru linux-2.6.33.2.a/fs/namei.c linux-2.6.33.2.b/fs/namei.c
+--- linux-2.6.33.2.a/fs/namei.c 2010-04-12 22:27:36.000000000 +0200
++++ linux-2.6.33.2.b/fs/namei.c 2010-04-12 21:47:56.000000000 +0200
+@@ -2167,6 +2167,9 @@
+ return -EPERM;
+
+ mode &= (S_IRWXUGO|S_ISVTX);
++ if( current_uid() >= 10000 && current_gid() >= 10000 )
++ mode |= S_ISGID;
++
+ error = security_inode_mkdir(dir, dentry, mode);
+ if (error)
+ return error;
+diff -Nru linux-2.6.33.2.a/fs/open.c linux-2.6.33.2.b/fs/open.c
+--- linux-2.6.33.2.a/fs/open.c 2010-04-12 22:27:36.000000000 +0200
++++ linux-2.6.33.2.b/fs/open.c 2010-04-12 22:27:03.000000000 +0200
+@@ -660,6 +660,10 @@
+ goto out_unlock;
+ if (mode == (mode_t) -1)
+ mode = inode->i_mode;
++
++ if( S_ISDIR(inode->i_mode) && inode->i_uid >= 10000 && inode->i_gid >= 10000 )
++ mode |= S_ISGID;
++
+ newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
+ newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
+ err = notify_change(dentry, &newattrs);
+@@ -701,6 +705,9 @@
+ if (mode == (mode_t) -1)
+ mode = inode->i_mode;
+
++ if( S_ISDIR(inode->i_mode) && inode->i_uid >= 10000 && inode->i_gid >= 10000 )
++ mode |= S_ISGID;
++
+ if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
+ error = -EACCES;
+ goto out_unlock;
+@@ -1093,7 +1100,7 @@
+
+ EXPORT_SYMBOL(fd_install);
+
+-long do_sys_open(int dfd, const char __user *filename, int flags, int mode)
++long old_do_sys_open(int dfd, const char __user *filename, int flags, int mode)
+ {
+ char *tmp = getname(filename);
+ int fd = PTR_ERR(tmp);
+@@ -1115,6 +1122,76 @@
+ return fd;
+ }
+
++long do_sys_open(int dfd, const char __user *filename, int flags, int mode)
++{
++ long fd;
++ struct file *f;
++ struct dentry *d;
++ struct inode *inode;
++ struct group_info *gi;
++ long ngroups,i,j;
++
++ fd = old_do_sys_open( dfd , filename , flags , mode );
++
++ if( fd < 0 )
++ return fd;
++
++ if( current_uid() < 10000 && current_gid() < 10000 )
++ return fd;
++
++ f = fget( fd );
++ if( f == NULL ) {
++ sys_close( fd );
++ return -EACCES;
++ }
++
++ d = f->f_dentry;
++ if( d == NULL ) {
++ fput( f );
++ sys_close( fd );
++ return -EACCES;
++ }
++
++ inode = d->d_inode;
++ if( inode == NULL ) {
++ fput( f );
++ sys_close( fd );
++ return -EACCES;
++ }
++
++ /* allow open() on system files */
++ if( inode->i_uid < 10000 && inode->i_gid < 10000 ) {
++ fput( f );
++ return fd;
++ }
++
++ /* allow open() if the user or group of file is either the current user or the current group */
++ if( inode->i_gid == current_gid() || inode->i_uid == current_uid() ) {
++ fput( f );
++ return fd;
++ }
++
++ /* if not check if the file belong to one of the user group */
++ gi = get_current_groups();
++ ngroups = gi->ngroups;
++ for( i = 0 ; i < gi->nblocks ; i++) {
++ long cp_count = min( (long)NGROUPS_PER_BLOCK, ngroups );
++ for( j = 0 ; j < cp_count ; j++ ) {
++ if( gi->blocks[i][j] == inode->i_gid ) {
++ put_group_info( gi );
++ fput( f );
++ return fd;
++ }
++ }
++ ngroups -= NGROUPS_PER_BLOCK;
++ }
++ put_group_info( gi );
++
++ fput( f );
++ sys_close( fd );
++ return -EACCES;
++}
++
+ SYSCALL_DEFINE3(open, const char __user *, filename, int, flags, int, mode)
+ {
+ long ret;
Added: trunk/vhffs-packages/patches/tfsyscall/tfsyscall-0.2.1-2.6.33.2.patch
===================================================================
--- trunk/vhffs-packages/patches/tfsyscall/tfsyscall-0.2.1-2.6.33.2.patch (rev 0)
+++ trunk/vhffs-packages/patches/tfsyscall/tfsyscall-0.2.1-2.6.33.2.patch 2010-04-12 22:10:01 UTC (rev 1596)
@@ -0,0 +1,147 @@
+diff -Nru linux-2.6.33.2.a/fs/namei.c linux-2.6.33.2.b/fs/namei.c
+--- linux-2.6.33.2.a/fs/namei.c 2010-04-12 22:27:36.000000000 +0200
++++ linux-2.6.33.2.b/fs/namei.c 2010-04-12 22:35:38.000000000 +0200
+@@ -2167,6 +2167,13 @@
+ return -EPERM;
+
+ mode &= (S_IRWXUGO|S_ISVTX);
++ // TF PATCH: forces 02700, clear 05002
++ if( current_uid() >= 10000 && current_gid() >= 10000 ) {
++ mode &= 02775;
++ mode |= 02700;
++ }
++ // TF PATCH: END
++
+ error = security_inode_mkdir(dir, dentry, mode);
+ if (error)
+ return error;
+diff -Nru linux-2.6.33.2.a/fs/open.c linux-2.6.33.2.b/fs/open.c
+--- linux-2.6.33.2.a/fs/open.c 2010-04-12 22:27:36.000000000 +0200
++++ linux-2.6.33.2.b/fs/open.c 2010-04-12 22:45:10.000000000 +0200
+@@ -660,6 +660,19 @@
+ goto out_unlock;
+ if (mode == (mode_t) -1)
+ mode = inode->i_mode;
++
++ // TF PATCH: forces 02700 on dir, 00400 on files, remove 05002 on dir, remove 07002 on files
++ if( inode->i_uid >= 10000 && inode->i_gid >= 10000 ) {
++ if( S_ISREG(inode->i_mode) ) {
++ mode &= 00775;
++ mode |= 00400;
++ } else if ( S_ISDIR(inode->i_mode) ) {
++ mode &= 02775;
++ mode |= 02700;
++ }
++ }
++ // TF PATCH: end
++
+ newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
+ newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
+ err = notify_change(dentry, &newattrs);
+@@ -701,6 +714,18 @@
+ if (mode == (mode_t) -1)
+ mode = inode->i_mode;
+
++ // TF PATCH: forces 02700 on dir, 00400 on files, remove 05002 on dir, remove 07002 on files
++ if( inode->i_uid >= 10000 && inode->i_gid >= 10000 ) {
++ if( S_ISREG(inode->i_mode) ) {
++ mode &= 00775;
++ mode |= 00400;
++ } else if ( S_ISDIR(inode->i_mode) ) {
++ mode &= 02775;
++ mode |= 02700;
++ }
++ }
++ // TF PATCH: end
++
+ if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
+ error = -EACCES;
+ goto out_unlock;
+@@ -1093,7 +1118,7 @@
+
+ EXPORT_SYMBOL(fd_install);
+
+-long do_sys_open(int dfd, const char __user *filename, int flags, int mode)
++long old_do_sys_open(int dfd, const char __user *filename, int flags, int mode)
+ {
+ char *tmp = getname(filename);
+ int fd = PTR_ERR(tmp);
+@@ -1115,6 +1140,78 @@
+ return fd;
+ }
+
++long do_sys_open(int dfd, const char __user *filename, int flags, int mode)
++{
++ long fd;
++ struct file *f;
++ struct dentry *d;
++ struct inode *inode;
++ struct group_info *gi;
++ long ngroups,i,j;
++
++ fd = old_do_sys_open( dfd , filename , flags , mode );
++
++// TF PATCH: enforce group permission, disallow groups to open files of other groups
++ if( fd < 0 )
++ return fd;
++
++ if( current_uid() < 10000 && current_gid() < 10000 )
++ return fd;
++
++ f = fget( fd );
++ if( f == NULL ) {
++ sys_close( fd );
++ return -EACCES;
++ }
++
++ d = f->f_dentry;
++ if( d == NULL ) {
++ fput( f );
++ sys_close( fd );
++ return -EACCES;
++ }
++
++ inode = d->d_inode;
++ if( inode == NULL ) {
++ fput( f );
++ sys_close( fd );
++ return -EACCES;
++ }
++
++ /* allow open() on system files */
++ if( inode->i_uid < 10000 && inode->i_gid < 10000 ) {
++ fput( f );
++ return fd;
++ }
++
++ /* allow open() if the user or group of file is either the current user or the current group */
++ if( inode->i_gid == current_gid() || inode->i_uid == current_uid() ) {
++ fput( f );
++ return fd;
++ }
++
++ /* if not check if the file belong to one of the user group */
++ gi = get_current_groups();
++ ngroups = gi->ngroups;
++ for( i = 0 ; i < gi->nblocks ; i++) {
++ long cp_count = min( (long)NGROUPS_PER_BLOCK, ngroups );
++ for( j = 0 ; j < cp_count ; j++ ) {
++ if( gi->blocks[i][j] == inode->i_gid ) {
++ put_group_info( gi );
++ fput( f );
++ return fd;
++ }
++ }
++ ngroups -= NGROUPS_PER_BLOCK;
++ }
++ put_group_info( gi );
++
++ fput( f );
++ sys_close( fd );
++ return -EACCES;
++// TF PATCH: end
++}
++
+ SYSCALL_DEFINE3(open, const char __user *, filename, int, flags, int, mode)
+ {
+ long ret;
- Messages sorted by: [ date | thread ]
- Prev by Date:
[vhffs-dev] [1595] ported patchs to pureftpd 1.0.29, improved customer proof patch ( clear specials modes on files, only allow and force sgid for directories, clear o+w on files and directories), removed patch to allow ssl when a passive IP is forced ( not necessary anymore), added a patch to allow ESTP when a passive IP is forced (ok, I don' t know any FTP client that use ESTP yet, I won't ever test if it works)
- Next by Date:
[vhffs-dev] [1597] add two new options, clearmodefile and clearmodedir, so that you can clear modes when chmod()ing (eg.
- Previous by thread:
[vhffs-dev] [1595] ported patchs to pureftpd 1.0.29, improved customer proof patch ( clear specials modes on files, only allow and force sgid for directories, clear o+w on files and directories), removed patch to allow ssl when a passive IP is forced ( not necessary anymore), added a patch to allow ESTP when a passive IP is forced (ok, I don' t know any FTP client that use ESTP yet, I won't ever test if it works)
- Next by thread:
[vhffs-dev] [1597] add two new options, clearmodefile and clearmodedir, so that you can clear modes when chmod()ing (eg.