Re: [PATCH v2] fs: block cross-uid sticky symlinks

From: tytso
Date: Tue Jun 01 2010 - 13:32:14 EST

Next message: Peter Zijlstra: "Re: [PATCH] rbtree: undo augmented damage -v2"
Previous message: Andi Kleen: "Re: [PATCH] use unfair spinlock when running on hypervisor."
In reply to: Eric Paris: "Re: [PATCH v2] fs: block cross-uid sticky symlinks"
Next in thread: Kees Cook: "Re: [PATCH v2] fs: block cross-uid sticky symlinks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jun 01, 2010 at 11:34:37AM -0400, Eric Paris wrote:
>
> Seems like one of Alan's main arguments is that you should not turn it
> on 'by default.' I assume most distros will want it on by default.
> Alan made the same argument against mmap_min_addr (known to break dos
> emu) but I think most major distros have it on by default these days
> even if it does break those weird obscure use cases. I guess distros
> can do it through sysctl but Fedora, at least, likes to keep those
> default if possible, which is why I suggested the CONFIG. In any case,
> putting this right square in the VFS where it happens makes the most
> sense to me.

If the use cases where people would really want to support following a
third-party symlink located in a world-writable sticky-bitted
directory are real (I'm not really convinced they really are real),
then it might make more sense to do it as a sysctl-controlled variable
with distro's chooinsg to enable it by default in their shipped
/etc/sysctl.conf file. That way their users/customers will be able to
more easily disable the security feature if it really matters.

That being said, I'm not at all convinced there are any legtimiate use
cases that would be impacted by this change, and as I've pointed out
earlier, I don't think the "POSIX doesn't allow this change" argument
holds water, since POSIX originally didn't even allow for the
semantics for the sticky-bit on directories. The real argument is
going to come from traditionalists, who will argue, "that isn't the
traditional behaviour!"

How strongly you buy this as an argument is going to be religious
argument, since it's doubtful that it people can come up with real use
cases that will actually break with that sort of change --- especially
given that the vast majority of Linux systems are single-user systems,
and the main concern will be a privilege escalation attacks.

> I'd also like to point out that I don't buy the argument that per
> user /tmp/ is a 'better' solution for the general case. Any application
> that would be broken by this change will also be broken by per
> user /tmp. Now, if we used filesystem namespaces regularly for years
> and users, administrators, and developers dealt with them often I agree
> that would probably be the preferred solution. It would solve this
> issue, but in introduces a whole host of other problems that are even
> more obvious and even likely to bite people.

Per-user /tmp solves other problems as well, though --- especially for
people who care a whole lot about mandatory access control scenarios,
for example.

I do have a slight preference against per-user /tmp mostly because it
gets confusing for administrators, and because it could be used by
rootkits to hide themselves in ways that would be hard for most system
administrators to find.

- Ted
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Peter Zijlstra: "Re: [PATCH] rbtree: undo augmented damage -v2"
Previous message: Andi Kleen: "Re: [PATCH] use unfair spinlock when running on hypervisor."
In reply to: Eric Paris: "Re: [PATCH v2] fs: block cross-uid sticky symlinks"
Next in thread: Kees Cook: "Re: [PATCH v2] fs: block cross-uid sticky symlinks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]