The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 0:53 UTC (Fri) by mathstuf (subscriber, #69389)
In reply to: The long road to a fix for CVE-2021-20316 by nix
Parent article: The long road to a fix for CVE-2021-20316

Wouldn't this make analysis harder? That is, would root follow arbitrary symlinks? If so, all root processes are now vulnerable to these issues. If not, manual readlinks are needed to figure out where some path that was logged actually exists. And once those routines exist, they'll show up in all kinds of compat or convenience wrappers, have bugs themselves, and probably just put us back to where we started except now there'd be umpteen symlink resolution impls to check and maintain.

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 12:50 UTC (Fri) by ibukanov (subscriber, #3942) [Link]

I suppose with idea root will follow only root-crated symlinks.

The long road to a fix for CVE-2021-20316

Posted Feb 13, 2022 18:23 UTC (Sun) by khim (subscriber, #9252) [Link] (1 responses)

> Wouldn't this make analysis harder? That is, would root follow arbitrary symlinks?

Root would follow only root-created symlinks. Everyone else would also follow root-created symlinks. Everyone else would just follow their own symlinks.

It's actually interesting idea. Would need to see how many packages would break, but this wouldn't effect things like git (people rarely use unix permissions in the middle of git repos) while most distro-provided system symlinks would work.

I think there are some container solutions which use per-app UID (like on Android), would need to decide what to do about these.

The long road to a fix for CVE-2021-20316

Posted Feb 13, 2022 19:02 UTC (Sun) by mjg59 (subscriber, #23239) [Link]

Hm. I wonder how viable it would be to implement this using the BPF LSM?