|
|
Subscribe / Log in / New account

Local root vulnerability in snap-confine

Local root vulnerability in snap-confine

Posted Feb 17, 2022 20:15 UTC (Thu) by Cyberax (✭ supporter ✭, #52523)
In reply to: Local root vulnerability in snap-confine by jra
Parent article: Local root vulnerability in snap-confine

To be totally fair, it also has a hardlink and mount vulnerability. Should we ban them as well?

IMO, it's POSIX API that we should stop deifying. It's a mess that evolved without much coherent thought.

to post comments

Local root vulnerability in snap-confine

Posted Feb 17, 2022 20:21 UTC (Thu) by jra (subscriber, #55261) [Link] (4 responses)

Yes, the symlink problem isn't the only one. But vulnerabilities around hardlink and mount are so rare they are worth note.

Symlinks are the most common security problem with Linux applications. I agree the POSIX filesystem API is a horrible mess, but it's symlinks that have made it so. The worst part of it is that what you're calling the "POSIX API" is actually the thin layer on top of the Linux system call interface (which because of symlinks is also a horrible mess).

Banning symlinks would remove a large number (I did the stats for my SambaXP talk) of security holes in applications on Linux. Think of the ones we've yet to find.

Local root vulnerability in snap-confine

Posted Feb 17, 2022 20:28 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

> Yes, the symlink problem isn't the only one. But vulnerabilities around hardlink and mount are so rare they are worth note.
But they're not!

Any way that can mutate the filesystem structure causes exactly the same problem, and this most definitely includes mounts/overlays. And overlays are becoming critical for containers that we would want to launch without admin permissions.

So mutability of the filesystem is not going away and apps will have to deal with it, symlinks or not.

> I agree the POSIX filesystem API is a horrible mess, but it's symlinks that have made it so.
Not really? It's mostly the lack of handle-based interfaces that is the issue, both for filesystem APIs and for the process/signals API.

Local root vulnerability in snap-confine

Posted Feb 18, 2022 20:41 UTC (Fri) by developer122 (guest, #152928) [Link]

Side question: would it have done anything if it was originally required that the user have permissions for the destination if they wished to create a simlink? Is this feasible? (invalid symlinks might be a tricky edgecase, especially if they're not invalidated when their target is removed)

Local root vulnerability in snap-confine

Posted Feb 18, 2022 0:55 UTC (Fri) by Karellen (subscriber, #67644) [Link]

The worst part of it is that what you're calling the "POSIX API" is actually the thin layer on top of the Linux system call interface

That feels backwards to me.

Local root vulnerability in snap-confine

Posted Feb 18, 2022 1:15 UTC (Fri) by aabc (subscriber, #55202) [Link]

/proc/sys/fs/protected_symlinks?


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds