Re: [RFC] [PATCH] Add a "nolinks" mount option.

From: Colin Walters
Date: Wed Oct 19 2016 - 10:35:58 EST

On Wed, Oct 19, 2016, at 07:28 AM, Mattias Nissler wrote:
> Note that O_NOFOLLOW only affects the final path component. If there's
> a symlink in any of the parent directories, that'll still be traversed
> even with O_NOFOLLOW. This situation is less risky as an attacker will
> have to deal with the restriction of a fixed filename in the last
> component, but might still be exploitable.

Yeah, I meant that you'd walk the path string in userspace one by
one. That said the "fstat at the end and check device" seems a
lot better, or perhaps the mount namespaces could help.

Also, don't forget about `setfsuid()`.

> The difficulty lies in applying these measures of precaution
> system-wide. This affects most init scripts and daemons, and
> everything else that keeps state on the writable file system.

One thing to note is that at least in the etc.
side of things, we basically never have privileged processes
accessing user home directories anymore.

A good example is that GDM used to read ~username/.config/face.png
or something like that to show the user's picture on the login screen, and that was
subject to many of the same risks.

But we've basically across the board migrated to a model where
the unprivileged user session talks to privileged daemons via
a DBus (or other) API. In this case, the picture data is stored
in accountsservice. NetworkManager is another big
example of this, where e.g. WiFi credentials can be per user, and
the session passes them to the privileged daemon over DBus,
rather than having the privileged process try to parse config files
in the user's homedir. It's a lot easier to secure.