Hi tech@
It should not be possible to create a file or directory if write
permission is denied on the parent directory of the file or directory to
be created. However, FUSE does not perform an access check when the new
vnode lookup is performed and always allows files and directory to be
created unless the file system is mounted read-only.
This patch adds the access check to fuse_lookup.
(copied from ufs_lookup.c)
ok?
Index: fuse_lookup.c
===================================================================
RCS file: /cvs/src/sys/miscfs/fuse/fuse_lookup.c,v
retrieving revision 1.16
diff -u -p -u -p -r1.16 fuse_lookup.c
--- fuse_lookup.c 7 Sep 2016 17:53:35 -0000 1.16
+++ fuse_lookup.c 26 Nov 2017 11:18:49 -0000
@@ -93,6 +93,14 @@ fusefs_lookup(void *v)
if (vdp->v_mount->mnt_flag & MNT_RDONLY)
return (EROFS);
+ /*
+ * Access for write is interpreted as allowing
+ * creation of files in the directory.
+ */
+ if ((error = VOP_ACCESS(vdp, VWRITE, cred,
+ cnp->cn_proc)) != 0)
+ return (error);
+
cnp->cn_flags |= SAVENAME;
if (!lockparent) {
