ACL stability fix (was: cvs commit: src/sys/ufs/ufs ufs_acl.c (fwd))

Robert Watson rwatson at FreeBSD.org
Mon Apr 2 03:28:20 GMT 2001 

This kernel source commit corrects a bug in the UFS ACL implementation
that may have been responsible for the intermittent crashes reported by a
number of testers.  The bug involved incorrect loading of default ACLs
from the underlying extended attributes, and manifested in high-load
scenarios (such as heavy-duty compiles).

Also, as a heads up -- libposix1e, up until now an independent library,
will be getting merged into the FreeBSD 5.0-CURRENT libc, so that its
security primitives are accessible to all applications.  This proved to be
a good idea when it was observed that (a) lots of applications will
shortly be ACL-aware, and (b) when setusercontext() and setlogincontext() 
gain capability and MAC support (as they have in our prototypes), libutil
gains a dependency to libposix1e, and many other applications link
libutil, making them also gain the compile-time dependency.  This change
should be going in in the next few days thanks to Thomas Moestl, who has
also been working actively on the capability distribution.  Hopefully,
we'll be able to convince him to give us an updated release in the next
few weeks. 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert at fledge.watson.org      NAI Labs, Safeport Network Services

---------- Forwarded message ----------
Date: Sun, 1 Apr 2001 18:02:32 -0700 (PDT)
From: Robert Watson <rwatson at FreeBSD.org>
To: cvs-committers at FreeBSD.org, cvs-all at FreeBSD.org
Subject: cvs commit: src/sys/ufs/ufs ufs_acl.c

rwatson     2001/04/01 18:02:32 PDT

  Modified files:
    sys/ufs/ufs          ufs_acl.c 
  Log:
  o Correct an ACL implementation bug that could result in a system panic
    under heavy use when default ACLs were bgin inherited by new files
    or directories.  This is done by removing a bug in default ACL
    reading, and improving error handling for this failure case:
  
      - Move the setting of the buffer length (len) variable to above the
        ACL type (ap->a_type) switch rather than having it only for
        ACL_TYPE_ACCESS.  Otherwise, the len variable is unitialized in
        the ACL_TYPE_DEFAULT case, which generally worked right, but could
        result in failure.
  
      - Add a check for a short/long read of the ACL_TYPE_DEFAULT type from
        the underlying EA, resulting in EPERM rather than passing a
        potentially corrupted ACL back to the caller (resulting "cleaner"
        failures if the EA is damaged: right now, the caller will almost
        always panic in the presence of a corrupted EA).  This code is similar
        to code in the ACL_TYPE_ACCESS handling in the previous switch case.
  
      - While I'm fixing this code, remove a redundant bzero() of the ACL
        reader buffer; it need only be initialized above the acl_type
        switch.
  
  Obtained from:	TrustedBSD Project
  
  Revision  Changes    Path
  1.2       +13 -3     src/sys/ufs/ufs/ufs_acl.c


To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list