fs: allow protected cross-uid sticky symlinks
in [Kernel]
|
From: Al Viro on 1 Jun 2010 17:50 On Tue, Jun 01, 2010 at 02:07:34PM -0700, Kees Cook wrote: > > I don't buy it. If we are concerned about the symlinks in the middle of > > pathname, your checks are useless (mkdir /tmp/a, ln -s whatever /tmp/a/b, > > have victim open /tmp/a/b/something). If we are not, then your checks are > > in the wrong place. > > Well, that's not traditionally where the problems happen, but I have no > problem strengthening the protection to include a full examination of the > entire path looking for sticky/world-writable directories. > > If not, what is the right place for the checks? Handling of trailing symlink on open(). At most. And I wouldn't be surprised if the real answer turns out to include "... if we have O_CREAT in flags", but that needs to be determined. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Kees Cook on 1 Jun 2010 18:30 On Tue, Jun 01, 2010 at 10:45:27PM +0100, Al Viro wrote: > On Tue, Jun 01, 2010 at 02:07:34PM -0700, Kees Cook wrote: > > > I don't buy it. If we are concerned about the symlinks in the middle of > > > pathname, your checks are useless (mkdir /tmp/a, ln -s whatever /tmp/a/b, > > > have victim open /tmp/a/b/something). If we are not, then your checks are > > > in the wrong place. > > > > Well, that's not traditionally where the problems happen, but I have no > > problem strengthening the protection to include a full examination of the > > entire path looking for sticky/world-writable directories. > > > > If not, what is the right place for the checks? > > Handling of trailing symlink on open(). At most. What would this look like? Moving the checks into may_open()? > And I wouldn't be > surprised if the real answer turns out to include "... if we have > O_CREAT in flags", but that needs to be determined. I think even without O_CREAT the protection is needed (some of the /tmp-races are things like reading a file pointed to by a symlink and spewing the contents to stderr, etc). Thanks, -Kees -- Kees Cook Ubuntu Security Team -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Kees Cook on 2 Jun 2010 21:30 Hi, On Thu, Jun 03, 2010 at 08:51:28AM +0800, Dave Young wrote: > On Thu, Jun 3, 2010 at 6:23 AM, Kees Cook <kees.cook(a)canonical.com> wrote: > > v2: > > �- moved sysctl extern into security.h. > > Not in v4? > > > v3: > > �- move into VFS core. > > �- rename sysctl, invert logic. Right, as part of the "move out of security/" the sysctl moved to live in fs/namei.c (and therefore needed an extern in kernel/sysctl.c). -Kees -- Kees Cook Ubuntu Security Team -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Dave Young on 2 Jun 2010 21:50 On Thu, Jun 3, 2010 at 9:18 AM, Kees Cook <kees.cook(a)canonical.com> wrote: > Hi, > > On Thu, Jun 03, 2010 at 08:51:28AM +0800, Dave Young wrote: >> On Thu, Jun 3, 2010 at 6:23 AM, Kees Cook <kees.cook(a)canonical.com> wrote: >> > v2: >> > - moved sysctl extern into security.h. >> >> Not in v4? >> >> > v3: >> > - move into VFS core. >> > - rename sysctl, invert logic. > > Right, as part of the "move out of security/" the sysctl moved to live in > fs/namei.c (and therefore needed an extern in kernel/sysctl.c). Then linux/fs.h is the place to go sysctl_nr_open_min and sysctl_nr_open_max can go there as well. > > -Kees > > -- > Kees Cook > Ubuntu Security Team > -- Regards dave -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Kees Cook on 3 Jun 2010 00:50 On Thu, Jun 03, 2010 at 09:42:21AM +0800, Dave Young wrote: > On Thu, Jun 3, 2010 at 9:18 AM, Kees Cook <kees.cook(a)canonical.com> wrote: > > On Thu, Jun 03, 2010 at 08:51:28AM +0800, Dave Young wrote: > >> On Thu, Jun 3, 2010 at 6:23 AM, Kees Cook <kees.cook(a)canonical.com> wrote: > >> > v2: > >> > �- moved sysctl extern into security.h. > >> > >> Not in v4? > >> > >> > v3: > >> > �- move into VFS core. > >> > �- rename sysctl, invert logic. > > > > Right, as part of the "move out of security/" the sysctl moved to live in > > fs/namei.c (and therefore needed an extern in kernel/sysctl.c). > > Then linux/fs.h is the place to go > sysctl_nr_open_min and sysctl_nr_open_max can go there as well. Okay, I wasn't sure if that was right or not. I'll do that for v6, and send the sysctl_nr_open_* in a separate patch. Thanks! -Kees -- Kees Cook Ubuntu Security Team -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
|
Next
|
Last
Pages: 1 2 3 4 Prev: block: replace BKL with global mutex Next: [RFC PATCH] gcov: Add ARM eABI support |