Re: [PATCH v2012.1] fs: symlink restrictions on sticky directories

From: Nick Bowler
Date: Thu Jan 05 2012 - 09:40:12 EST


On 2012-01-04 12:18 -0800, Kees Cook wrote:
> A long-standing class of security issues is the symlink-based
> time-of-check-time-of-use race, most commonly seen in world-writable
> directories like /tmp. The common method of exploitation of this flaw
> is to cross privilege boundaries when following a given symlink (i.e. a
> root process follows a symlink belonging to another user). For a likely
> incomplete list of hundreds of examples across the years, please see:
> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp
>
> The solution is to permit symlinks to only be followed when outside
> a sticky world-writable directory, or when the uid of the symlink and
> follower match, or when the directory owner matches the symlink's owner.
[...]
> diff --git a/fs/Kconfig b/fs/Kconfig
> index 5f4c45d..26ede24 100644
> --- a/fs/Kconfig
> +++ b/fs/Kconfig
> @@ -278,3 +278,19 @@ source "fs/nls/Kconfig"
> source "fs/dlm/Kconfig"
>
> endmenu
> +
> +config PROTECTED_STICKY_SYMLINKS
> + bool "Protect symlink following in sticky world-writable directories"
> + default y
[...]

Why do we need a config option for this? What's wrong with just using
the sysctl?

Why have you made this option "default y", when enabling it clearly
makes user-visible changes to kernel behaviour?

Cheers,
--
Nick Bowler, Elliptic Technologies (http://www.elliptictech.com/)

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/