blob: 9d9b0cace370a6dd0b66b1426c2f4a0afe828c6c [file] [log] [blame]
Mon Oct 24 23:27:42 1994 Theodore Y. Ts'o (tytso@rt-11)
* fcntl.c (sys_fcntl): Liberalize security checks which Alan Cox
put in.
Thu Oct 20 23:44:22 1994 Theodore Y. Ts'o (tytso@rt-11)
* fcntl.c (sys_fcntl): Add more of a security check to the
F_SETOWN fcntl().
[Tons of changes missed, indeed. This list is worth restarting since
at least some fixes WILL break third-party filesystems. Sorry, but
there was no other way to fix rmdir/rename deadlock, for one.]
Wed Dec 2 (Linus, fill the rest, please)
* namei.c (do_rmdir) and rmdir method in filesystems:
Locking of directory we remove was taken to VFS.
See comments in do_rmdir(). Unfixed filesystems
will bloody likely deadlock in rmdir().
Thu Dec 3 17:25:31 1998 Al Viro (viro@math.psu.edu)
* namei.c (do_rmdir):
Reject non-directories here.
Two (probably) obsolete checks moved here too: we fail if
the directory we remove is the same as parent (BUG: we
serve mountpoints later) or if it lives on a different
device.
* sysv/namei.c (sysv_rmdir): See sysv/CHANGES
Fri Dec 4 00:54:12 1998 AV
* namei.c (check_sticky): New function check_sticky(dir, inode).
If dir is sticky check whether we can unlink/rmdir/rename
the inode. Returns 1 if we can't. If dir isn't sticky -
return 0 (i.e. no objections). Some filesystems require
suser() here; some are fine with CAP_FOWNER. The later
seems more reasonable.
* namei.c (do_rmdir):
Moved the check for sticky bit here.
* affs/{inode,namei}.c:
All AFFS directories have sticky semantics (i.e. non-owner
having write permisssions on directory can unlink/rmdir/rename
only the files he owns), but AFFS didn't set S_ISVTX on them.
Fixed. NB: maybe this behaviour should be controlled by mount
option. Obvious values being 'sticky' (current behaviour),
'nonsticky' (normal behaviour) and maybe some play on 'D'
permissions bit. FIXME.
* qnx4/namei.c (qnx4_rmdir):
Plugged inode leak.
* ufs/namei.c (ufs_rmdir):
Changed handling of busy directory to new scheme.
Fri Dec 4 10:30:58 1998 AV
* namei.c (VFS_rmdir): New function. It gets inode of the parent and
dentry of the victim, does all checks and applies fs-specific
rmdir() method. It should be called with semaphores down
on both the victim and its parent and with bumped d_count on
victim (see comments in do_rmdir).
* include/linux/fs.h: Added VFS_rmdir
* kernel/ksyms.c: Added VFS_rmdir to export list (for NFSD).
* nfsd/vfs.c: Fixed rmdir handling.
Tue Dec 8 05:55:08 1998 AV
* vfat/namei.c: Fixed the bug in vfat_rename() introduced in the
first round of rmdir fixes.
Wed Dec 9 03:06:10 1998 AV
* namei.c (do_rename): part of fs-independent checks had been moved
here (sticky bit handling, type mismatches). Cases of
the source or target being append-only or immutable also went
here - if we check it for parent we could as well do it for
children.
* {affs,ext2,minix,sysv,ufs}/namei.c (do_*_rename):
Removed tests that went to VFS, it simplified the code big way.
Fixed a race in check for empty target - we should check for
extra owners _before_ checking for emptiness, not after it.
* {ext2,ufs}/namei.c (do_*_rename):
VERY nasty bug shot: if somebody mkdired /tmp/cca01234, went
there, rmdired '.', waited till somebody created a file with
the same name and said mv . /tmp/goodbye_sticky_bit... Well,
goodbye sticky bit. Down, not across!
* {minix,sysv}/namei.c (do_*_rename):
Incorrect check for other owners (i_count instead of d_count).
Fixed.
* vfat: Looks like the changes above fixed a bug in VFAT - this beast
used to allow renaming file over directory and vice versa.
Wed Dec 9 08:00:27 1998 AV
* namei.c (VFS_rename): New function. It gets the same arguments as
->rename() method, does all checks and applies fs-specific
rmdir() method. It should be called with semaphores down
on both parents.
* include/linux/fs.h: Added VFS_rename
* kernel/ksyms.c: Added VFS_rename to export list (for NFSD).
* nfsd/vfs.c: Changed rename handling (switched to VFS_rename).
Wed Dec 9 18:16:27 1998 AV
* namei.c (do_unlink): handling of sticky bit went here.
* {affs,ext2,minix,qnx4,sysv,ufs}/namei.c (*_unlink):
removed handling of sticky bit.
* qnx4/namei.c (qnx4_unlink):
Yet another inode leak. Fixed.
Thu Dec 10 04:55:26 1998 AV
* {ext2,minix,sysv,ufs}/namei.c (*_mknod):
removed meaningless code handling attempts to mknod symlinks
and directories. VFS protects us from _that_ and if this code
would ever be called we'ld get a filesystem corruption.
Thu Dec 10 16:58:50 1998 AV
* namei.c (do_rename): Fixed dentry leak that had been introduced by
the first round of rmdir fixes.
Fri Dec 11 14:57:17 1998 AV
* msdos/namei.c (msdos_rmdir): Fixed race in emptiness check.
Sat Dec 12 19:59:57 1998 AV
* msdos/namei.c (msdos_mkdir): Fixed the evil breakage introduced by
the changes of rmdir locking scheme. We shouldn't call
msdos_rmdir from there.
Sun Dec 13 02:05:16 1998 AV
* namei.c (do_unlink):
Added new function: vfs_unlink, with the same arguments as
->unlink() method.
* kernel/ksyms.c: Made it exported.
* include/linux/fs.h: Added prototype.
* nfsd/vfs.c: Changed handling of unlink (switched to vfs_unlink)
* {ext2,ufs}/namei.c (*_unlink): moved handling of imm./append-only to
VFS.
Wed Dec 16 06:10:04 1998 AV
* namei.c (may_create, may_delete): New inline functions.
They check whether creation/deletion is permitted.
Checks from other places of namei.c went there.
Looks like originally I misread permission-related stuff
both here and in nfsd. In particular, checks for
immutable are done in permission(). D'oh.
* unlink on directory should return -EISDIR, not -EPERM as it used to
do. Fixed.
* rmdir of immutable/append-only directory shouldn't be allowed. Fixed.
Remains unfixed:
* rename's handling of races is, erm, not optimal. Looks like I know
what to do, but this thing needs some more cleanup - we can
take care of almost all races in VFS and be much more graceful
wrt locking. Moreover, it would give strong lookup atomicity.
But it's a lot of changes to lookup and dcache code, so it will
go after the fs drivers' cleanup.
* affs allows HARD links to directories. VFS is, to put it politely,
not too ready to cope with _that_. And I'm not sure it should
be - looks like they are pretty much similar to symlinks.
* truncate doesn't give a damn about IO errors and disk overflows (on
braindead filesystems). I've submitted a patch to Linus, but
looks like it wasn't applied.
* msdos: shouldn't we treat SYS as IMMUTABLE? Makes sense, IMHO.