Re: [PATCH v4] Add a "nosymfollow" mount option.

From: Aleksa Sarai
Date: Thu Jan 30 2020 - 20:51:56 EST

Next message: Walter Wu: "Re: [PATCH v3] lib/stackdepot: Fix global out-of-bounds in stackdepot"
Previous message: Nathan Chancellor: "[PATCH v2] mlxsw: spectrum_qdisc: Fix 64-bit division error in mlxsw_sp_qdisc_tbf_rate_kbps"
In reply to: Matthew Wilcox: "Re: [PATCH v4] Add a "nosymfollow" mount option."
Next in thread: Ross Zwisler: "Re: [PATCH v4] Add a "nosymfollow" mount option."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2020-01-30, Matthew Wilcox <willy@xxxxxxxxxxxxx> wrote:
> On Thu, Jan 30, 2020 at 05:27:50PM -0700, Ross Zwisler wrote:
> > For mounts that have the new "nosymfollow" option, don't follow
> > symlinks when resolving paths. The new option is similar in spirit to
> > the existing "nodev", "noexec", and "nosuid" options. Various BSD
> > variants have been supporting the "nosymfollow" mount option for a
> > long time with equivalent implementations.
> >
> > Note that symlinks may still be created on file systems mounted with
> > the "nosymfollow" option present. readlink() remains functional, so
> > user space code that is aware of symlinks can still choose to follow
> > them explicitly.
> >
> > Setting the "nosymfollow" mount option helps prevent privileged
> > writers from modifying files unintentionally in case there is an
> > unexpected link along the accessed path. The "nosymfollow" option is
> > thus useful as a defensive measure for systems that need to deal with
> > untrusted file systems in privileged contexts.
>
> The openat2 series was just merged yesterday which includes a
> LOOKUP_NO_SYMLINKS option. Is this enough for your needs, or do you
> need the mount option?

I have discussed a theoretical "noxdev" mount option (which is
effectively LOOKUP_NO_XDEV) with Howells (added to Cc) in the past, and
the main argument for having a mount option is that you can apply the
protection to older programs without having to rewrite them to use
openat2(2).

However, the underlying argument for "noxdev" was that you could use it
to constrain something like "tar -xf" inside a mountpoint (which could
-- in principle -- be a bind-mount). I'm not so sure that "nosymfollow"
has similar "obviously useful" applications (though I'd be happy to be
proven wrong).

If FreeBSD also has "nosymfollow", are there many applications where it
is used over O_BENEATH (and how many would be serviced by
LOOKUP_NO_SYMLINKS)?

--
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>

Attachment: signature.asc
Description: PGP signature

Next message: Walter Wu: "Re: [PATCH v3] lib/stackdepot: Fix global out-of-bounds in stackdepot"
Previous message: Nathan Chancellor: "[PATCH v2] mlxsw: spectrum_qdisc: Fix 64-bit division error in mlxsw_sp_qdisc_tbf_rate_kbps"
In reply to: Matthew Wilcox: "Re: [PATCH v4] Add a "nosymfollow" mount option."
Next in thread: Ross Zwisler: "Re: [PATCH v4] Add a "nosymfollow" mount option."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]