From 4392020ba011228e75f3cb129a1d10f93400d23a Mon Sep 17 00:00:00 2001 From: Andrew Deason Date: Mon, 10 Apr 2023 16:40:38 -0500 Subject: [PATCH] fs: Restrict 'fs flushall' to root Commands like 'fs flush' and 'fs flushvolume' require the caller to be able to lookup the target file, but 'fs flushall' has no access checks at all, and hasn't since it was introduced in commit 4197bbecd9 (libafs: fs flushall for unix cm). This allows unauthenticated users to flush the cache of files/volumes they have no access to, and means flushing the entire cache requires less access than flushing parts of the cache, which doesn't make much sense. Change the command to only be runnable by the local superuser root, and document the restriction. Change-Id: I906d6c02a16b49ae31ab8e644a8ffb85c4e3434d Reviewed-on: https://gerrit.openafs.org/15393 Reviewed-by: Cheyenne Wills Tested-by: BuildBot Reviewed-by: Michael Meffie --- doc/man-pages/pod1/fs_flushall.pod | 2 +- src/afs/afs_pioctl.c | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/doc/man-pages/pod1/fs_flushall.pod b/doc/man-pages/pod1/fs_flushall.pod index 38a9144611..cccbcd4552 100644 --- a/doc/man-pages/pod1/fs_flushall.pod +++ b/doc/man-pages/pod1/fs_flushall.pod @@ -42,7 +42,7 @@ as follows: =head1 PRIVILEGE REQUIRED -No special privileges are required for this command. +The issuer must be logged in as the local superuser C. =head1 SEE ALSO diff --git a/src/afs/afs_pioctl.c b/src/afs/afs_pioctl.c index 17b9e0860e..1b304b5481 100644 --- a/src/afs/afs_pioctl.c +++ b/src/afs/afs_pioctl.c @@ -3680,6 +3680,7 @@ DECL_PIOCTL(PFlushVolumeData) * * \retval EINVAL Error if some of the standard args aren't set * \retval EIO Error if the afs daemon hasn't started yet + * \retval EACCES Error if the user doesn't have super-user credentials * * \post * Flush all cached contents. Exactly what stays and what @@ -3697,6 +3698,9 @@ DECL_PIOCTL(PFlushAllVolumeData) if (!afs_resourceinit_flag) /* afs daemons haven't started yet */ return EIO; /* Inappropriate ioctl for device */ + if (!afs_osi_suser(*acred)) + return EACCES; + return FlushVolumeData(NULL, *acred); }