Restricting path name lookup with openat2()

Posted Aug 28, 2019 18:56 UTC (Wed) by nix (subscriber, #2304)
In reply to: Restricting path name lookup with openat2() by cyphar
Parent article: Restricting path name lookup with openat2()

My worry about this stuff is that people will start to use it unthinkingly, breaking real use cases: and with bind-mounts becoming more and more common as a result of containerization and other things, use of RESOLVE_NO_XDEV in particular seems like a disaster waiting to happen unless it is done in specific response to user request (in response to something like an -xdev flag, for instance). At the very least, this should come with some big warnings about careless use and note that users use mount points for all sorts of things, and refusing to traverse them without providing a way to change that decision is at the very least rude.

(In times past, I would have hoped that breaking real use cases could be fixed on a case-by-case basis by raising a bug and fixing the software, but in the current environment I just bet some people would say "Linux is not about choice" and demand that users stop using mount points in ways that break their software instead: after all, their laptop has only one big mount under / so your system should too. It seems best to me to try to stop this sort of thing from happening in the first place.)

Restricting path name lookup with openat2()

Posted Aug 29, 2019 3:44 UTC (Thu) by cyphar (subscriber, #110703) [Link]

We can definitely include a warning to that effect in the man page -- though I would hope that it would be obvious (as it is with RESOLVE_NO_SYMLINKS) that you shouldn't use it everywhere unless you specifically need it for some reason. However, libpathrs doesn't use RESOLVE_NO_XDEV -- only RESOLVE_IN_ROOT (which at the moment implies RESOLVE_NO_MAGICLINKS).