From owner-svn-src-projects@freebsd.org  Tue May  7 16:12:00 2019
Return-Path: <owner-svn-src-projects@freebsd.org>
Delivered-To: svn-src-projects@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 58C7F158C576
 for <svn-src-projects@mailman.ysv.freebsd.org>;
 Tue,  7 May 2019 16:12:00 +0000 (UTC)
 (envelope-from brde@optusnet.com.au)
Received: from mail106.syd.optusnet.com.au (mail106.syd.optusnet.com.au
 [211.29.132.42])
 by mx1.freebsd.org (Postfix) with ESMTP id C43408F87D;
 Tue,  7 May 2019 16:11:58 +0000 (UTC)
 (envelope-from brde@optusnet.com.au)
Received: from [192.168.0.102] (c110-21-101-228.carlnfd1.nsw.optusnet.com.au
 [110.21.101.228])
 by mail106.syd.optusnet.com.au (Postfix) with ESMTPS id 8778D3DB951;
 Wed,  8 May 2019 02:11:49 +1000 (AEST)
Date: Wed, 8 May 2019 02:11:48 +1000 (EST)
From: Bruce Evans <brde@optusnet.com.au>
X-X-Sender: bde@besplex.bde.org
To: Alan Somers <asomers@freebsd.org>
cc: Bruce Evans <brde@optusnet.com.au>, 
 src-committers <src-committers@freebsd.org>, svn-src-projects@freebsd.org
Subject: Re: svn commit: r347217 - in projects/fuse2: sys/fs/fuse
 tests/sys/fs/fusefs
In-Reply-To: <CAOtMX2iazsHTELYRniuNHepWC211nUGA1C=VVo6rcV9bMiS49g@mail.gmail.com>
Message-ID: <20190508015918.X1615@besplex.bde.org>
References: <201905070127.x471ROvf000119@repo.freebsd.org>
 <20190507231529.I1127@besplex.bde.org>
 <CAOtMX2iazsHTELYRniuNHepWC211nUGA1C=VVo6rcV9bMiS49g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Optus-CM-Score: 0
X-Optus-CM-Analysis: v=2.2 cv=P6RKvmIu c=1 sm=1 tr=0 cx=a_idp_d
 a=PalzARQSbocsUSjMRkwAPg==:117 a=PalzARQSbocsUSjMRkwAPg==:17
 a=jpOVt7BSZ2e4Z31A5e1TngXxSK0=:19 a=kj9zAlcOel0A:10 a=PO7r1zJSAAAA:8
 a=XW1f6RsyIjqmAVAeEVcA:9 a=CjuIK1q_8ugA:10
X-Rspamd-Queue-Id: C43408F87D
X-Spamd-Bar: ------
Authentication-Results: mx1.freebsd.org
X-Spamd-Result: default: False [-6.98 / 15.00];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 NEURAL_HAM_SHORT(-0.98)[-0.983,0]; REPLY(-4.00)[];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]
X-BeenThere: svn-src-projects@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "SVN commit messages for the src &quot; projects&quot;
 tree" <svn-src-projects.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-projects/>
List-Post: <mailto:svn-src-projects@freebsd.org>
List-Help: <mailto:svn-src-projects-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 07 May 2019 16:12:00 -0000

On Tue, 7 May 2019, Alan Somers wrote:

> On Tue, May 7, 2019 at 8:18 AM Bruce Evans <brde@optusnet.com.au> wrote:
>>
>> On Tue, 7 May 2019, Alan Somers wrote:
>>
>>> Log:
>>>  fusefs: allow the null chown and null chgrp
>>>
>>>  Even an unprivileged user should be able to chown a file to its current
>>>  owner, or chgrp it to its current group.  Those are no-ops.
>>
>> ffs allows this too, but POSIX seems to require appropriate privilege
>> even for null changes.  Its DESCRIPTION section says "Changing the
>> user ID is restricted to processes with appropriate privileges."  It
>> doesn't formally define "Changing", so this can be read as not
>> restricting null changes.  However, its ERRORS section says that chown()
>> shall fail with errno [EPERM] if the euid doesn't match the owner of
>> the file or the calling process doesn't have appropriate privilege
>> (note: nothing about the null change where only the new and old owners
>> of the file match).
>
> Yeah, I was trying to satisfy pjdfstest, which expects the behavior of
> UFS.  Do you think we should disallow the null change?  If so we
> should do it for all file systems, not just fusefs.

No, I think we should go the other way and allow null changes for other
syscalls, and maybe get POSIX changed or clarified to allow the ffs
behaviour.  ISTR changing ffs to do what it does now, but ufs_chown() has
allowed null changes without privilege since at least FreeBSD-1, so the
only thing I might have changed is from strict POSIX back to the old
behaviour.

>> Most other attribute-setting syscalls don't allow null changes without
>> appropriate privilege.  E.g., in ffs:
>> - chflags() requires VADMIN privilege
>> - truncate() requires write privilege (this seems to be only checked for
>>    at the vfs level, where the nullness of a truncation is not easy to
>>    determine)
>> - utimes() and friends require VDMIN privilege or write privilege to set
>>    the current time (with the same layering as for truncate(), so is hard
>>    to change)
>
> But utimensat allows the null change without privileges, because it
> has an explicit way to specify the null change: UTIME_OMIT.

I forgot about utimensat().

This is technically best, but complicated.  Full complications would have
use options to control use of weakened privileges annd weakened error
checking.  This reminds me that mv(1) was weakened (broken) to not report
loss of file flags when moving across mount points.  This would be reasonable
as a default for cp -pR where the reporting is still done, but not for mv.

Bruce