Fix ACL checks for NFS kernel server

For Linux NFS kernel server ops, fsuid and fsgid in cred are populated with ids that operation is being performed as, but euid and egid remain 0. In Linux when setresuid(2) and setresgid(2) are called, the fsuid and fsgid are set to the euid and egid respectively. This PR changes ZFS ACL checks to evaluate fsuid / fsgid rather than euid / egid to avoid accidentally granting elevated permissions to NFS clients. Signed-off-by: Andrew Walker <awalker@ixsystems.com>
openzfs · Mar 15, 2022 · 93a3516 · 93a3516
1 parent 2feba9a
commit 93a3516
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/module/os/linux/spl/spl-cred.c b/module/os/linux/spl/spl-cred.c
@@ -128,7 +128,7 @@ groupmember(gid_t gid, const cred_t *cr)
 uid_t
 crgetuid(const cred_t *cr)
 {
-	return (KUID_TO_SUID(cr->euid));
+	return (KUID_TO_SUID(cr->fsuid));
 }
 
 /* Return the real user id */
@@ -156,7 +156,7 @@ crgetfsuid(const cred_t *cr)
 gid_t
 crgetgid(const cred_t *cr)
 {
-	return (KGID_TO_SGID(cr->egid));
+	return (KGID_TO_SGID(cr->fsgid));
 }
 
 /* Return the real group id */