|
|
Log in / Subscribe / Register

Local root vulnerability in snap-confine

Local root vulnerability in snap-confine

Posted Feb 18, 2022 18:21 UTC (Fri) by jra (subscriber, #55261)
In reply to: Local root vulnerability in snap-confine by mfuzzey
Parent article: Local root vulnerability in snap-confine

One of the things I'd like to see is wide knowledge and availability of MNT_NOSYMFOLLOW use, and making it available as a normal mount flag.

Then applications can state:

"This application is only known to be secure when used on a filesystem mounted with the MNT_NOSYMFOLLOW option. Use on filesystems allowing symlinks can lead to race conditions and security vulnerabilities."

Let admins know how to protect themselves from this misfeature.

to post comments

Local root vulnerability in snap-confine

Posted Feb 19, 2022 6:23 UTC (Sat) by intelfx (subscriber, #130118) [Link] (1 responses)

> "This application is only known to be secure when used on a filesystem mounted with the MNT_NOSYMFOLLOW option. Use on filesystems allowing symlinks can lead to race conditions and security vulnerabilities."

I wouldn't use such software.

Local root vulnerability in snap-confine

Posted Feb 19, 2022 23:21 UTC (Sat) by jra (subscriber, #55261) [Link]

If I can get this mount flag to be easily used I will certainly add it to the recommended settings for a Samba server.

I'm sick of symlink insanity.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds