Re: [PATCH v3] fs: allow protected cross-uid sticky symlinks

[Kees Cook]

On Tue, Jun 01, 2010 at 10:45:27PM +0100, Al Viro wrote:
> On Tue, Jun 01, 2010 at 02:07:34PM -0700, Kees Cook wrote:
> > > I don't buy it.  If we are concerned about the symlinks in the middle of
> > > pathname, your checks are useless (mkdir /tmp/a, ln -s whatever /tmp/a/b,
> > > have victim open /tmp/a/b/something).  If we are not, then your checks are
> > > in the wrong place.
> > 
> > Well, that's not traditionally where the problems happen, but I have no
> > problem strengthening the protection to include a full examination of the
> > entire path looking for sticky/world-writable directories.
> > 
> > If not, what is the right place for the checks?
> 
> Handling of trailing symlink on open().  At most.

What would this look like?  Moving the checks into may_open()?

> And I wouldn't be
> surprised if the real answer turns out to include "... if we have
> O_CREAT in flags", but that needs to be determined.

I think even without O_CREAT the protection is needed (some of the
/tmp-races are things like reading a file pointed to by a symlink and
spewing the contents to stderr, etc).

Thanks,

-Kees

-- 
Kees Cook
Ubuntu Security Team
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/