From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS22989 209.51.188.0/24 X-Spam-Status: No, score=-3.7 required=3.0 tests=AWL,BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 5B5D01F47C for ; Thu, 12 Jan 2023 20:59:13 +0000 (UTC) Authentication-Results: dcvr.yhbt.net; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=clisp.org header.i=@clisp.org header.a=rsa-sha256 header.s=strato-dkim-0002 header.b=hYQiCS/T; dkim-atps=neutral Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pG4f3-0007Bz-1p; Thu, 12 Jan 2023 15:58:57 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pG4f1-0007Br-9L for bug-gnulib@gnu.org; Thu, 12 Jan 2023 15:58:55 -0500 Received: from mo4-p00-ob.smtp.rzone.de ([81.169.146.163]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pG4ez-0008Jq-ED for bug-gnulib@gnu.org; Thu, 12 Jan 2023 15:58:54 -0500 ARC-Seal: i=1; a=rsa-sha256; t=1673557129; cv=none; d=strato.com; s=strato-dkim-0002; b=RIW8HMxZxdchh8Yr3iRWSTS3tAdmcB7FoD0TuyrG8ziBcaVFSnIEy9Xn56hYsX0Nqb l/Ya5P4Pcy5avjLakIwkiKPuxEcq9ampUiZQluLDvi34UERiOJCkvrqokfk87YZKDPpJ ILRQ8sXGwapsZxvqUucm4R/HWyl1DaRnMNhmrLoFymq02FvmEzmC0Ni98kl/0gXPqbdy bnnMG3CB9xKVe0siXRj8l1R7y3mPvrosANvtIdizhhF02j92ROncgGvI/TBswMNDczwg DeBxYbUZ3GnkKzDhgzaOuk8+lZErbP/VswYgM3G86VTdc2tlv4/nHV/DhkoBQDw77Rob 9kUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; t=1673557129; s=strato-dkim-0002; d=strato.com; h=References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Cc:Date: From:Subject:Sender; bh=EHz1YdQKArBxJS3ZDijkngHeIVLHUG+XyfYzSap96kI=; b=I/w2VHAdRcmzo1rcPn2n8jCsUJqHVH+AHsZfFcJ7tCdm9jBUjeZp1MIeUfws8pBOg1 R6e0TLJe0WmXtDqU+isBzxFsM9lJ6b2k1zkEBypU0C8QUlD2jcxd3g0RR5/2A4U58vt5 mZ+8bXgZugcYRipH8Gw9K07mESudAVNkn16AGgQKgh0EWIQRLPD0978GuwOECywogHUb OQ670m7eXbG3RHAJHkOr6+lJECFvV0oRBordSgiiUPdW/MOVa5dmsBGPAHgExn/Qf8/p GTY6LHwju9PhvSxVtL4DoFIUu8BfVC8yERE4U4Cg8eQhG5sSPXtHtTn++IS/nTOtTr51 Q1XA== ARC-Authentication-Results: i=1; strato.com; arc=none; dkim=none X-RZG-CLASS-ID: mo00 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1673557129; s=strato-dkim-0002; d=clisp.org; h=References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Cc:Date: From:Subject:Sender; bh=EHz1YdQKArBxJS3ZDijkngHeIVLHUG+XyfYzSap96kI=; b=hYQiCS/Ts28sdVeBcxf4eY9wQIjyweipV5LsdWYEgPkAUMmODqeUfCqkjpdaA2JPAg 9/JkaYomGpa4mCsLBciyvnW150B3cizPtS/4S99cRgJvseQ1jEaGdxkWR1U5P+FQ+5B/ 1MeL7d4ibf/OWy9CUfn50aftvz2wrDiJNjIn7BBtA1wMOSJfxzQpF0gziSVmGkgmaN3c j5SgEEITCH6PswmJsdYa24DQjPBD0eNPmcuhWhVaodoYNDgFIUzHJ6arZNPDpcMnDThe JtTcycvjHYyl7h/pHvHzwQX6uRktjVxeHjiHHP8+75F09nVx7BAqxtbJUyk6n5QhdFG4 xudw== X-RZG-AUTH: ":Ln4Re0+Ic/6oZXR1YgKryK8brlshOcZlIWs+iCP5vnk6shH0WWb0LN8XZoH94zq68+3cfpOXjv2XTu3l95++Pe54Opj0GYzUnQ==" Received: from nimes.localnet by smtp.strato.de (RZmta 48.6.2 AUTH) with ESMTPSA id I8f358z0CKwn8dR (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)) (Client did not present a certificate); Thu, 12 Jan 2023 21:58:49 +0100 (CET) From: Bruno Haible To: Ondrej Valousek , Paul Eggert Cc: bug-gnulib@gnu.org Subject: Re: [PATCH] Use xattr (Linux) in qcopy-acl.c Date: Thu, 12 Jan 2023 21:58:48 +0100 Message-ID: <5490373.FjVNtL66Cm@nimes> In-Reply-To: References: <20230104143425.1235741-1-ondrej.valousek.xm@renesas.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Received-SPF: none client-ip=81.169.146.163; envelope-from=bruno@clisp.org; helo=mo4-p00-ob.smtp.rzone.de X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: bug-gnulib@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gnulib discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnulib-bounces+normalperson=yhbt.net@gnu.org Sender: bug-gnulib-bounces+normalperson=yhbt.net@gnu.org [Re-adding bug-gnulib in CC] Paul Eggert wrote: > > - similar vulnerability does exist in the old code, too > ... > But really, isn't it *odd* that there's no way to copy a file securely > with ACLs (either with xattr or without)? What's up with that? Didn't > ACL/xattr designers think about copying files? There is a way to do it securely; _we_ just haven't thought about how to do it securely so far. When I added the 'copy-file' module in 2003, it did not handle ACLs. Then, when I added ACL support to it in 2006, I left open a security hole (namely when the destination file already exists and has an ALLOWing ACL set): we don't specify O_EXCL here, nor do we delete the ACL first. And there's a second case, namely the uses of copy_acl from GNU coreutils... I think, to handle this in full generality, we need to decompose an ACL into an ALLOWing ACL and a DENYing ACL. Then, when writing to a file that already exists and potentially has an ACL, we need to proceed in these phases: 1. remove the ALLOWing part of the old ACL, 2. add the DENYing part of the new ACL, 3. copy the data, 4. remove the DENYing part of the old ACL (as far as not also contained in the new ACL), 5. add the ALLOWing part of the new ACL. Something like that, no? Bruno