[PATCH] setting ACLs on readonly mounted NFS filesystems (CVE-2005-3623)

We must check for MAY_SATTR before setting acls, which includes checking for read-only exports: the lower-level setxattr operation that eventually sets the acl cannot check export-level restrictions. Bug reported by Martin Walter <mawa@uni-freiburg.de>. Signed-off-by: Andreas Gruenbacher <agruen@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

[PATCH] setting ACLs on readonly mounted NFS filesystems (CVE-2005-3623)
We must check for MAY_SATTR before setting acls, which includes checking for read-only exports: the lower-level setxattr operation that eventually sets the acl cannot check export-level restrictions. Bug reported by Martin Walter <mawa@uni-freiburg.de>. Signed-off-by: Andreas Gruenbacher <agruen@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
0a63dca5 · Andreas Gruenbacher · Greg Kroah-Hartman · 841f7067 · 0a63dca5 · 0a63dca5
Commit 0a63dca5 authored Dec 20, 2005 by Andreas Gruenbacher Committed by Greg Kroah-Hartman Dec 26, 2005
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

fs/nfsd/nfs2acl.c fs/nfsd/nfs2acl.c +1 -1

fs/nfsd/nfs3acl.c fs/nfsd/nfs3acl.c +1 -1

No files found.
--- a/fs/nfsd/nfs2acl.c
+++ b/fs/nfsd/nfs2acl.c
@@ -107,7 +107,7 @@ static int nfsacld_proc_setacl(struct svc_rqst * rqstp,
 	dprintk("nfsd: SETACL(2acl)   %s\n", SVCFH_fmt(&argp->fh));

 	fh = fh_copy(&resp->fh, &argp->fh);
-	nfserr = fh_verify(rqstp, &resp->fh, 0, MAY_NOP);
+	nfserr = fh_verify(rqstp, &resp->fh, 0, MAY_SATTR);

 	if (!nfserr) {
 		nfserr = nfserrno( nfsd_set_posix_acl(

--- a/fs/nfsd/nfs3acl.c
+++ b/fs/nfsd/nfs3acl.c
@@ -101,7 +101,7 @@ static int nfsd3_proc_setacl(struct svc_rqst * rqstp,
 	int nfserr = 0;

 	fh = fh_copy(&resp->fh, &argp->fh);
-	nfserr = fh_verify(rqstp, &resp->fh, 0, MAY_NOP);
+	nfserr = fh_verify(rqstp, &resp->fh, 0, MAY_SATTR);

 	if (!nfserr) {
 		nfserr = nfserrno( nfsd_set_posix_acl(