From 93a351627a34b462df8557c47edef34e87c81fff Mon Sep 17 00:00:00 2001 From: Andrew Date: Wed, 9 Feb 2022 11:27:00 -0600 Subject: [PATCH] Fix ACL checks for NFS kernel server For Linux NFS kernel server ops, fsuid and fsgid in cred are populated with ids that operation is being performed as, but euid and egid remain 0. In Linux when setresuid(2) and setresgid(2) are called, the fsuid and fsgid are set to the euid and egid respectively. This PR changes ZFS ACL checks to evaluate fsuid / fsgid rather than euid / egid to avoid accidentally granting elevated permissions to NFS clients. Signed-off-by: Andrew Walker --- module/os/linux/spl/spl-cred.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/module/os/linux/spl/spl-cred.c b/module/os/linux/spl/spl-cred.c index 8fe1cc30ba99..82347a2c6bdf 100644 --- a/module/os/linux/spl/spl-cred.c +++ b/module/os/linux/spl/spl-cred.c @@ -128,7 +128,7 @@ groupmember(gid_t gid, const cred_t *cr) uid_t crgetuid(const cred_t *cr) { - return (KUID_TO_SUID(cr->euid)); + return (KUID_TO_SUID(cr->fsuid)); } /* Return the real user id */ @@ -156,7 +156,7 @@ crgetfsuid(const cred_t *cr) gid_t crgetgid(const cred_t *cr) { - return (KGID_TO_SGID(cr->egid)); + return (KGID_TO_SGID(cr->fsgid)); } /* Return the real group id */