Re: [PATCH v2] fs: block cross-uid sticky symlinks

[tytso]

On Sun, May 30, 2010 at 08:04:02PM -0700, Kees Cook wrote:
>  - Violates POSIX.
>    - POSIX didn't consider this situation and it's not useful to follow
>      a broken specification at the cost of security.

POSIX allows implementations to fail requested operations with a
permission denied for reasons beyond that which is specified by the
POSIX implementation.  Indeed, POSIX doesn't specify the sticky bit at
all, so implementations that implemented the sticky bit were able to
pass POSIX precisely because it's OK to provide stricter semantics
than that which is specified by POSIX.  (The sticky bit is specified
in the XSI exstension to the Single Unix Specification, but the same
principle applies; it's OK for us have additional situations where we
return EACCESS beyond that which was contemplated by POSIX/SUS; this
alone wouldn't cause us to 'violate POSIX'.)

So for people who to argue against this (which I believe to be a
useful restriction, and not one that necessarily has to be done in a
LSM), it's not sufficient to say that it is a POSIX violation, because
it isn't.  The sticky bit itself wasn't originally considered by
POSIX, and many systems which implemented the sticky bit had no
problems becoming ceritifed as POSIX compliant.

						- Ted
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/