Bug 2185710

Summary: client: clear the suid/sgid in fallocate path
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Xiubo Li <xiubli>
Component: CephFSAssignee: Xiubo Li <xiubli>
Status: CLOSED ERRATA QA Contact: Hemanth Kumar <hyelloji>
Severity: high Docs Contact: Akash Raj <akraj>
Priority: unspecified    
Version: 6.0CC: akraj, ceph-eng-bugs, cephqe-warriors, gfarnum, hyelloji, tserlin, vereddy
Target Milestone: ---   
Target Release: 6.1z1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ceph-17.2.6-87.el9cp Doc Type: Bug Fix
Doc Text:
.The _fallocate_ path clears the `suid`/`sgid` if an unprivileged user changes the file Previously, the _fallocate_ path would not clear the `suid`/`sgid` if an unprivileged user changed the file. There is no Posix item that requires clearing the `suid`/`sgid` in _fallocate_ path but this is the default behaviour for most of the filesystems and the VFS layer. So, the user space `libcephfs` client would not comply with most filesystems in the kernel and this could be easily hacked. With this fix, the _fallocate_ path clears the `suid`/`sgid` if an unprivileged user changes the file, making the user space `libcephfs` client comply with most other filesystems and fix the attack hole.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-03 16:45:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2221020    

Description Xiubo Li 2023-04-11 04:22:24 UTC 
There is no Posix item requires that we should clear the suid/sgid
in fallocate code path but this is the default behaviour for most of
the filesystems and the VFS layer. And also the same for the write
code path, which have already support it.

Fixes: https://tracker.ceph.com/issues/58680
Comment 12 errata-xmlrpc 2023-08-03 16:45:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat Ceph Storage 6.1 Bug Fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:4473