|From:||Al Viro <viro-AT-ZenIV.linux.org.uk>|
|To:||Kees Cook <kees.cook-AT-canonical.com>|
|Subject:||Re: [PATCH v3] fs: allow protected cross-uid sticky symlinks|
|Date:||Tue, 1 Jun 2010 20:01:02 +0100|
|Cc:||Eric Paris <eparis-AT-redhat.com>, Christoph Hellwig <hch-AT-infradead.org>, James Morris <jmorris-AT-namei.org>, linux-kernel-AT-vger.kernel.org, linux-security-module-AT-vger.kernel.org, linux-fsdevel-AT-vger.kernel.org, linux-doc-AT-vger.kernel.org, Randy Dunlap <rdunlap-AT-xenotime.net>, Andrew Morton <akpm-AT-linux-foundation.org>, Jiri Kosina <jkosina-AT-suse.cz>, Dave Young <hidave.darkstar-AT-gmail.com>, Martin Schwidefsky <schwidefsky-AT-de.ibm.com>, David Howells <dhowells-AT-redhat.com>, Ingo Molnar <mingo-AT-elte.hu>, Peter Zijlstra <a.p.zijlstra-AT-chello.nl>, "Eric W. Biederman" <ebiederm-AT-xmission.com>, Tim Gardner <tim.gardner-AT-canonical.com>, "Serge E. Hallyn" <serue-AT-us.ibm.com>|
On Tue, Jun 01, 2010 at 11:52:48AM -0700, Kees Cook wrote: > A long-standing class of security issues is the symlink-based > time-of-check-time-of-use race, most commonly seen in world-writable > directories like /tmp. The common method of exploitation of this flaw > is to cross privilege boundaries when following a given symlink (i.e. a > root process follows a symlink belonging to another user). For a likely > incomplete list of hundreds of examples across the years, please see: > http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp > > The solution is to permit symlinks to only be followed when outside a sticky > world-writable directory, or when the uid of the symlink and follower match, > or when the directory owner matches the symlink's owner. > > Some pointers to the history of earlier discussion that I could find: I don't buy it. If we are concerned about the symlinks in the middle of pathname, your checks are useless (mkdir /tmp/a, ln -s whatever /tmp/a/b, have victim open /tmp/a/b/something). If we are not, then your checks are in the wrong place. "The more we prohibit, the safer we are" is best left to the likes of TSA; if we are really interested in security and not in security theatre or BDSM fetishism, let's make sure that heuristics we use make sense. -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to email@example.com More majordomo info at http://vger.kernel.org/majordomo-info.html
Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds