From 196c0010cb52c355e8aed4b6ede3c529b764bb18 Mon Sep 17 00:00:00 2001
From: jiefenghuang <jiefeng@juicedata.io>
Date: Thu, 21 Mar 2024 15:04:11 +0800
Subject: [PATCH] fix/acl: clear sgid in some cases

Signed-off-by: jiefenghuang <jiefeng@juicedata.io>
---
 pkg/meta/base.go  | 9 +++++++++
 pkg/meta/redis.go | 8 ++++++++
 pkg/meta/sql.go   | 8 ++++++++
 pkg/meta/tkv.go   | 8 ++++++++
 4 files changed, 33 insertions(+)

diff --git a/pkg/meta/base.go b/pkg/meta/base.go
index 9364e6975190..7f4c37d602bb 100644
--- a/pkg/meta/base.go
+++ b/pkg/meta/base.go
@@ -2930,3 +2930,12 @@ func (m *baseMeta) GetFacl(ctx Context, ino Ino, aclType uint8, rule *aclAPI.Rul
 
 	return m.en.doGetFacl(ctx, ino, aclType, aclAPI.None, rule)
 }
+
+func inGroup(ctx Context, gid uint32) bool {
+	for _, egid := range ctx.Gids() {
+		if egid == gid {
+			return true
+		}
+	}
+	return false
+}
diff --git a/pkg/meta/redis.go b/pkg/meta/redis.go
index 569ddfa0b121..f855780b5d5a 100644
--- a/pkg/meta/redis.go
+++ b/pkg/meta/redis.go
@@ -4647,6 +4647,14 @@ func (m *redisMeta) doSetFacl(ctx Context, ino Ino, aclType uint8, rule *aclAPI.
 		}
 
 		oriACL, oriMode := getAttrACLId(attr, aclType), attr.Mode
+
+		// https://github.com/torvalds/linux/blob/480e035fc4c714fb5536e64ab9db04fedc89e910/fs/fuse/acl.c#L143-L151
+		// TODO: check linux capabilities
+		if ctx.Uid() != 0 && !inGroup(ctx, attr.Gid) {
+			// clear sgid
+			attr.Mode &= 05777
+		}
+
 		if rule.IsEmpty() {
 			// remove acl
 			setAttrACLId(attr, aclType, aclAPI.None)
diff --git a/pkg/meta/sql.go b/pkg/meta/sql.go
index f17f82c2c5b8..45d14b663b39 100644
--- a/pkg/meta/sql.go
+++ b/pkg/meta/sql.go
@@ -4571,6 +4571,14 @@ func (m *dbMeta) doSetFacl(ctx Context, ino Ino, aclType uint8, rule *aclAPI.Rul
 		}
 
 		oriACL, oriMode := getAttrACLId(attr, aclType), attr.Mode
+
+		// https://github.com/torvalds/linux/blob/480e035fc4c714fb5536e64ab9db04fedc89e910/fs/fuse/acl.c#L143-L151
+		// TODO: check linux capabilities
+		if ctx.Uid() != 0 && !inGroup(ctx, attr.Gid) {
+			// clear sgid
+			attr.Mode &= 05777
+		}
+
 		if rule.IsEmpty() {
 			// remove acl
 			setAttrACLId(attr, aclType, aclAPI.None)
diff --git a/pkg/meta/tkv.go b/pkg/meta/tkv.go
index 7bdf70b27c7c..175bf8372f8e 100644
--- a/pkg/meta/tkv.go
+++ b/pkg/meta/tkv.go
@@ -3853,6 +3853,14 @@ func (m *kvMeta) doSetFacl(ctx Context, ino Ino, aclType uint8, rule *aclAPI.Rul
 		}
 
 		oriACL, oriMode := getAttrACLId(attr, aclType), attr.Mode
+
+		// https://github.com/torvalds/linux/blob/480e035fc4c714fb5536e64ab9db04fedc89e910/fs/fuse/acl.c#L143-L151
+		// TODO: check linux capabilities
+		if ctx.Uid() != 0 && !inGroup(ctx, attr.Gid) {
+			// clear sgid
+			attr.Mode &= 05777
+		}
+
 		if rule.IsEmpty() {
 			// remove acl
 			setAttrACLId(attr, aclType, aclAPI.None)