--- /dev/null
+From security-bounces@linux.kernel.org Tue Dec 20 07:32:55 2005
+Date: Tue, 20 Dec 2005 16:29:05 +0100
+From: Marcus Meissner <meissner@suse.de>
+To: Trond.Myklebust@netapp.com
+Message-ID: <20051220152905.GA28537@suse.de>
+Cc: Chris L Mason <mason@suse.de>, Andreas Gruenbacher <agruen@suse.de>
+Subject: setting ACLs on readonly mounted NFS filesystems (CVE-2005-3623)
+
+From: Andreas Gruenbacher <agruen@suse.de>
+
+We must check for MAY_SATTR before setting acls, which includes
+checking for read-only exports: the lower-level setxattr operation
+that eventually sets the acl cannot check export-level restrictions.
+
+Bug reported by Martin Walter <mawa@uni-freiburg.de>.
+
+Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfsd/nfs2acl.c | 2 +-
+ fs/nfsd/nfs3acl.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- linux-2.6.14.4.orig/fs/nfsd/nfs2acl.c
++++ linux-2.6.14.4/fs/nfsd/nfs2acl.c
+@@ -107,7 +107,7 @@ static int nfsacld_proc_setacl(struct sv
+ dprintk("nfsd: SETACL(2acl) %s\n", SVCFH_fmt(&argp->fh));
+
+ fh = fh_copy(&resp->fh, &argp->fh);
+- nfserr = fh_verify(rqstp, &resp->fh, 0, MAY_NOP);
++ nfserr = fh_verify(rqstp, &resp->fh, 0, MAY_SATTR);
+
+ if (!nfserr) {
+ nfserr = nfserrno( nfsd_set_posix_acl(
+--- linux-2.6.14.4.orig/fs/nfsd/nfs3acl.c
++++ linux-2.6.14.4/fs/nfsd/nfs3acl.c
+@@ -101,7 +101,7 @@ static int nfsd3_proc_setacl(struct svc_
+ int nfserr = 0;
+
+ fh = fh_copy(&resp->fh, &argp->fh);
+- nfserr = fh_verify(rqstp, &resp->fh, 0, MAY_NOP);
++ nfserr = fh_verify(rqstp, &resp->fh, 0, MAY_SATTR);
+
+ if (!nfserr) {
+ nfserr = nfserrno( nfsd_set_posix_acl(
projects / thirdparty / kernel / stable-queue.git / commitdiff
