On Sun, 8 Jul 2007, Ulrich Drepper wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Linus Torvalds wrote:
> > notify_change() does *not* do permission checks for
> > ATTR_CTIME/MTIME/ATIME.
>
> Then I don't understand
>
> /* Check for setting the inode time. */
> if (ia_valid & (ATTR_MTIME_SET | ATTR_ATIME_SET)) {
> if (current->fsuid != inode->i_uid && !capable(CAP_FOWNER))
> goto error;
> }
>
> in inode_change_ok. This seems to me exactly like the check needed.
No it's not. It really allows only the _owner_ to change MTIME/ATIME.
And the thing is, other people _can_ change MTIME/ATIME, but only to the
current time!
This is why ATTR_MTIME_SET ("set it to a _specific_ time") is so different
from ATTR_MTIME ("set it to the _current_ time").
The former is for times() with times != NULL, and is strictly limited to
only the owner (or root).
The latter is a "anybody who can change the inode can implicitly also
change the inode timestamps, but only to the _current_ time".
In other words, the ATTR_A/MTIME_SET thing allows people to _lie_ about
the time, and only the owner is allowed to do that. Which is why they are
very different.
Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
