Safer path lookup

Posted May 26, 2011 7:23 UTC (Thu) by epa (subscriber, #39769)
Parent article: Re: [PATCH 3/5] v2 seccomp_filters: Enable ftrace-based system call filtering

a few new flags to pathname lookup that say "don't follow symlinks" and "don't follow '..'"

Yes please. This would be a great simplification of a lot of messy userspace code.

I'd even go so far as to say that in server code, these flags should be the default set by your programming language's standard library. I would rather have to set a special flag if I did want to allow ../ and symlinks in paths, and have the default be to fail safely. That question of defaults is not a kernel issue, however.

Safer path lookup

Posted May 26, 2011 13:06 UTC (Thu) by nix (subscriber, #2304) [Link] (1 responses)

That would annoy a lot of system adminstrators, who have long used symlinks to bind things into place when disk space runs low.

Safer path lookup

Posted May 26, 2011 13:41 UTC (Thu) by epa (subscriber, #39769) [Link]

That would annoy a lot of system adminstrators, who have long used symlinks to bind things into place when disk space runs low.

Apache has an explicit FollowSymlinks flag which can be turned on or off as the sysadmin desires. That's probably the best way to do things. And if the default configuration has this flag turned off, that's also the right choice, on the principle that you can turn it on if you know what you're doing.

Support in the kernel for a no-symlinks flag might let Apache and other userspace programs do their path lookups more efficiently (and with less code, if you're willing to run on Linux only).