Hi Klaus, On Sun, 9 Oct 2005, Klaus Knopper wrote:
> > The changes from 20050921-1517 to 20050923-1803 were done by Klaus Knopper. > > This is not completely correct. ;-) Sorry! ;-) > > Klaus, could you please check your patch in this direction? > > The OLD behaviour of 20050921-1517 was the following: > > IF the lower level branch was read-only (EROFS), THEN file/directory > permissions > were COMPLETELY IGNORED and overwriting ANY FILE succeeded, by ANY USER. > > This is apparently wrong, since this leads to a kind of DOS file system > where any user can overwrite files he isn't supposed to. > > What my original patch did, is the following: > > - Check an existing files permission (regardless of a read-only lower branch), > - allow read or write ONLY if the permissions match the users privileges. > > which is the standard POSIX behaviour (IMHO). > > Now, Dave has changed my patch somewhat in a way that I do not > completely understand, namely there is a part of the old behaviour > (using the vfs permission() call), and later also the corrected one > (check the real permissions, but only in case the vfs permission call > before returned EROFS and we are not on the toplevel branch). This may be > correct. Or maybe not. I really don't know in which cases it will work > and in which it won't. > > If you like, I can send you my original version of the patched > 20050921-1517 for testing. Thanx, now I better understand. I am willing to test anything but as far as I can see unionfs-20050929-0844 + Junjiro's patch is doing just what I want. And the security bug seems to be solved. Regards, Martin -- Martin Walter University of Freiburg i.Br. --- Germany --- Fon/Fax: +49 761 203-4651/-4643 Rechenzentrum der Universitaet, Hermann-Herder-Str.10, D-79104 Freiburg i.Br. _______________________________________________ unionfs mailing list unionfs@mail.fsl.cs.sunysb.edu http://www.fsl.cs.sunysb.edu/mailman/listinfo/unionfs
