[PATCH] setting ACLs on readonly mounted NFS filesystems (CVE-2005-3623) We must check for MAY_SATTR before setting acls, which includes checking for read-only exports: the lower-level setxattr operation that eventually sets the acl cannot check export-level restrictions. Bug reported by Martin Walter <mawa@uni-freiburg.de>. Signed-off-by: Andreas Gruenbacher <agruen@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

commit: 0a63dca5ae2f975e08deae7e6c743a477af04367 [log] [tgz]
author: Andreas Gruenbacher <agruen@suse.de> Tue Dec 20 16:29:05 2005 +0100
committer: Greg Kroah-Hartman <gregkh@suse.de> Mon Dec 26 16:08:59 2005 -0800
tree: ea4159295a732a277b99ae4960a1575ef600e6a7
parent: 841f70676036b309f7102e2c8024dc68c3946990 [diff]
diff --git a/fs/nfsd/nfs2acl.c b/fs/nfsd/nfs2acl.c
index 7cbf068..fc95c4d 100644
--- a/fs/nfsd/nfs2acl.c
+++ b/fs/nfsd/nfs2acl.c

@@ -107,7 +107,7 @@
 	dprintk("nfsd: SETACL(2acl)   %s\n", SVCFH_fmt(&argp->fh));
 
 	fh = fh_copy(&resp->fh, &argp->fh);
-	nfserr = fh_verify(rqstp, &resp->fh, 0, MAY_NOP);
+	nfserr = fh_verify(rqstp, &resp->fh, 0, MAY_SATTR);
 
 	if (!nfserr) {
 		nfserr = nfserrno( nfsd_set_posix_acl(

diff --git a/fs/nfsd/nfs3acl.c b/fs/nfsd/nfs3acl.c
index 64ba405..16e10c1 100644
--- a/fs/nfsd/nfs3acl.c
+++ b/fs/nfsd/nfs3acl.c

@@ -101,7 +101,7 @@
 	int nfserr = 0;
 
 	fh = fh_copy(&resp->fh, &argp->fh);
-	nfserr = fh_verify(rqstp, &resp->fh, 0, MAY_NOP);
+	nfserr = fh_verify(rqstp, &resp->fh, 0, MAY_SATTR);
 
 	if (!nfserr) {
 		nfserr = nfserrno( nfsd_set_posix_acl(
commit	0a63dca5ae2f975e08deae7e6c743a477af04367	[log] [tgz]
author	Andreas Gruenbacher <agruen@suse.de>	Tue Dec 20 16:29:05 2005 +0100
committer	Greg Kroah-Hartman <gregkh@suse.de>	Mon Dec 26 16:08:59 2005 -0800
tree	ea4159295a732a277b99ae4960a1575ef600e6a7
parent	841f70676036b309f7102e2c8024dc68c3946990 [diff]