Re: symlinks with permissions

From: J. Bruce Fields
Date: Mon Oct 26 2009 - 14:01:18 EST

Next message: Stefan Richter: "Re: [RFC] to rebase or not to rebase on linux-next"
Previous message: Mike Hommey: "[PATCH] Fix generic_block_fiemap for files bigger than 4GB"
In reply to: Casey Schaufler: "Re: symlinks with permissions"
Next in thread: Serge E. Hallyn: "Re: symlinks with permissions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Oct 26, 2009 at 06:46:31PM +0100, Jan Kara wrote:
> On Mon 26-10-09 13:36:29, J. Bruce Fields wrote:
> > On Mon, Oct 26, 2009 at 11:57:29AM -0500, Serge E. Hallyn wrote:
> > > Quoting Jan Kara (jack@xxxxxxx):
> > > > Hi,
> > > >
> > > > On Sun 25-10-09 07:29:53, Pavel Machek wrote:
> > > > > ...yes, they do exist, in /proc/self/fd/* . Unfortunately, their
> > > > > permissions are not actually checked during open, resulting in
> > > > > (obscure) security hole: if you have fd open for reading, you can
> > > > > reopen it for write, even through unix permissions would not allow
> > > > > that.
> > > > >
> > > > > Now... I'd like to close the hole. One way would be to actually check
> > > > > symlink permissions on open -- because those symlinks already have
> > > > > correct permissions.
> > > > Hmm, I'm not sure I understand the problem. Symlink is just a file
> > > > containing a path. So if you try to open a symlink, you will actually open
> > > > a file to which the path points. So what security problem is here? Either
> > > > you can open the file symlink points to for writing or you cannot...
> > > > Anyway, if you want to play with this,
> > > > fs/proc/base.c:proc_pid_follow_link
> > > > is probably the function you are interested in.
> > >
> > > The problem he's trying to address is that users may try to protect
> > > a file by doing chmod 700 on the parent dir, but leave the file itself
> > > accessible. They don't realize that merely having a task with an open
> > > fd to that file gives other users another path to the file.
> > >
> > > Whether or not that's actually a problem is open to debate, but I think
> > > he's right that many users aren't aware of it.
> >
> > If /proc/self/fd/23 is a symlink to /home/me/privatedir/secret, then an
> > open("proc/self/fd/23",...) still traverses the whole /home/.../secret
> > path, and needs appropriate permissions at each step, doesn't it?
> >
> > Probably I'm just terminally confused....
> That's what I'd think as well but it does not as I've just learned and
> tested :) proc_pid_follow_link actually directly gives a dentry of the
> target file without checking permissions on the way.

Got it, thanks.--b.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Stefan Richter: "Re: [RFC] to rebase or not to rebase on linux-next"
Previous message: Mike Hommey: "[PATCH] Fix generic_block_fiemap for files bigger than 4GB"
In reply to: Casey Schaufler: "Re: symlinks with permissions"
Next in thread: Serge E. Hallyn: "Re: symlinks with permissions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]