The long road to a fix for CVE-2021-20316
The long road to a fix for CVE-2021-20316
Posted Feb 10, 2022 23:51 UTC (Thu) by nix (subscriber, #2304)In reply to: The long road to a fix for CVE-2021-20316 by jra
Parent article: The long road to a fix for CVE-2021-20316
An alternative approach that breaks much less, probably nothing, while retaining the security benefits of root-only symlinks: non-root-owned symlinks (or, more generally, symlinks with uids not specified in a new file under /proc/sys somewhere: root only by default) are only followed by the user that owns them: other users get the effect of O_NOFOLLOW on that symlink without needing to ask for it.
Now hostile users can create all the symlinks they want, as can non-hostile users, and the use case the non-hostile users wanted still works (they can follow symlinks they created, and symlinks the sysadmin or package installer created), while the hostile users find that they are following the hostile symlinks they created, but nobody else is. This obviously should apply at all stages in path resolution, including if a path contains a symlink to a directory. (I don't think we need to worry about races involving symlink ownership suddenly changing, since only root can do that and if root is malicious you've already lost.)
Anyone still broken by this is probably using gid-shared directories for something, like it was the 1980s still. They're probably using ACLs too. A slightly more permissive mode, off by default or on only in directories with the setgid bit active or perhaps which are gid-writable, could apply the same check based on the gid of the symlink instead of the uid, which would fix this use case too. I'm sceptical this use case is common enough to worry about, though.
But symlink following in the specific case of following symlinks the admin made and symlinks the user themselves made is so useful that it simply shouldn't be broken. It's not some program's decision to not let me stitch things together with symlinks I created: it's mine, and programs should always follow them. Symlinks a random hostile user created, though -- why would I ever want to follow those? And thankfully file ownership tracks this perfectly well so we can always get the answer right :)
Posted Feb 11, 2022 0:18 UTC (Fri)
by rgmoore (✭ supporter ✭, #75)
[Link] (2 responses)
While this is an interesting idea, I think it will likely be a non-starter because it changes long-established behavior. There will be things that break because of this, and "don't break userspace" is an important enough principle that it will not fly.
Posted Feb 11, 2022 14:27 UTC (Fri)
by nix (subscriber, #2304)
[Link]
Posted Feb 12, 2022 2:55 UTC (Sat)
by bartoc (guest, #124262)
[Link]
My userspace was just broken by lack of `/dev/mem` on my fedora box (I was trying to fetch the EDID of my display)
Posted Feb 11, 2022 0:53 UTC (Fri)
by mathstuf (subscriber, #69389)
[Link] (3 responses)
Posted Feb 11, 2022 12:50 UTC (Fri)
by ibukanov (subscriber, #3942)
[Link]
Posted Feb 13, 2022 18:23 UTC (Sun)
by khim (subscriber, #9252)
[Link] (1 responses)
Root would follow only root-created symlinks. Everyone else would also follow root-created symlinks. Everyone else would just follow their own symlinks. It's actually interesting idea. Would need to see how many packages would break, but this wouldn't effect things like git (people rarely use unix permissions in the middle of git repos) while most distro-provided system symlinks would work. I think there are some container solutions which use per-app UID (like on Android), would need to decide what to do about these.
Posted Feb 13, 2022 19:02 UTC (Sun)
by mjg59 (subscriber, #23239)
[Link]
Posted Feb 16, 2022 8:59 UTC (Wed)
by pmatilai (subscriber, #15420)
[Link] (2 responses)
That commit is of course only a tiny fraction (and buggy at that) of the overall problem which we're only just now getting close to resolving it in a wider sense - much like Samba, rpm traditionally used absolute paths for everything.
Posted Feb 18, 2022 1:50 UTC (Fri)
by nix (subscriber, #2304)
[Link]
Posted Feb 18, 2022 17:46 UTC (Fri)
by nybble41 (subscriber, #55106)
[Link]
This is a false assumption. The owner of a file or directory can only change permissions or make other changes to it *if they can obtain a reference*. If you own /a/b but don't have search permissions (+x) on /a (and don't have /a/b as your current directory or some similar corner case) then you can't do anything with /a/b. However, under this rule you can still create a symlink to /a/b which would be followed by other users because you own /a/b, even though you can't access it yourself through /a. (The same issue impacts /proc/sys/fs/protected_symlinks=1.)
One option I haven't seen suggested yet would be to use the intersection of the permissions available to the original user and the owner(s) of any symlink(s) followed while resolving the path. Though in practice you might need more information than just the symlink's UID and GID to serve as the credentials, especially when relying on "negative ACLs", pluggable security modules like SELinux, or narrower group permissions overriding, rather than supplementing, broader "other" permissions.
The long road to a fix for CVE-2021-20316
The long road to a fix for CVE-2021-20316
The long road to a fix for CVE-2021-20316
The long road to a fix for CVE-2021-20316
The long road to a fix for CVE-2021-20316
> Wouldn't this make analysis harder? That is, would root follow arbitrary symlinks?
The long road to a fix for CVE-2021-20316
The long road to a fix for CVE-2021-20316
The long road to a fix for CVE-2021-20316
I've yet to see it break any legitimate case in the packaging world.
The long road to a fix for CVE-2021-20316
The long road to a fix for CVE-2021-20316