From: Pavel Machek <pavel@ucw.cz>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Jeff Layton <jlayton@redhat.com>,
Jamie Lokier <jamie@shareable.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
miklos@szeredi.hu
Subject: Re: [PATCH 0/3] vfs: plug some holes involving LAST_BIND symlinks and file bind mounts (try #5)
Date: Sun, 20 Dec 2009 20:59:03 +0100 [thread overview]
Message-ID: <20091220195903.GG23917@elf.ucw.cz> (raw)
In-Reply-To: <20091216123143.GA15784@ZenIV.linux.org.uk>
On Wed 2009-12-16 12:31:43, Al Viro wrote:
> On Mon, Nov 23, 2009 at 06:15:45PM -0500, Jeff Layton wrote:
>
> > The big question with all of this is: Should a task have the ability
> > to follow a /proc/pid symlink to a path that it wouldn't ordinarily be
> > able to resolve with a path lookup. The concensus that I got from the
> > bugtraq discussion was that it should not, and this patch is an attempt
> > to prevent that.
> >
> > I take it from you and Eric's comments that you disagree? If so, what's
> > your rationale for allowing a task to resolve this symlink when it
> > wouldn't ordinarily be able to do so if it were a "normal" symlink?
>
> WTF not? It's convenient and doesn't lose any real security. If your
> code relies on inaccessibility of <path> since some component of that
> path is inaccessible, you are *already* fscked. Consider e.g. fchdir()
> and its implications - if you have an opened descriptor for parent,
> having no exec permissions on grandparent won't stop you at all. Already.
> On all Unices, regardless of openat(), etc.
Consider FD passing over unix socket. Passing R/O file descriptor to
the other task, then having the task write to the file is certainly bad.
> I might buy the argument about restricting reopening with wider permissions,
> but
> a) we still are looking at possible userland breakage of the worst
> kind - random scripts passing /dev/fd/42 as command line arguments to
> random programs. Once in a while. With error checking being... not quite
> sufficient.
> b) it's not just open - we have at least chmod/chown/truncate to
> deal with.
That's indeed the sane way to solve that.
> Prohibiting *all* access is a complete non-starter - things like
> cmp foo /dev/stdin || ....
> would bloody better work and nobody cares whether you have redirect
> from something out of your reach at the moment.
Ok.
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
next prev parent reply other threads:[~2009-12-20 19:59 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-23 17:41 [PATCH 0/3] vfs: plug some holes involving LAST_BIND symlinks and file bind mounts (try #5) Jeff Layton
2009-11-23 17:41 ` [PATCH 1/3] vfs: force reval of target when following LAST_BIND symlinks Jeff Layton
2009-11-23 17:41 ` [PATCH 2/3] vfs: force reval on dentry of bind mounted files on FS_REVAL_DOT filesystems Jeff Layton
2009-11-23 17:41 ` [PATCH 3/3] vfs: check path permissions on target of LAST_BIND symlinks Jeff Layton
2009-11-23 22:05 ` [PATCH 0/3] vfs: plug some holes involving LAST_BIND symlinks and file bind mounts (try #5) Eric W. Biederman
2009-11-23 22:36 ` Jeff Layton
2009-11-23 22:49 ` Jamie Lokier
2009-11-23 23:15 ` Jeff Layton
2009-11-23 23:35 ` Eric W. Biederman
2009-11-24 0:34 ` Jeff Layton
2009-11-24 1:20 ` Jamie Lokier
2009-11-24 11:26 ` Jeff Layton
2009-11-24 11:53 ` Miklos Szeredi
2009-11-24 12:09 ` Pavel Machek
2009-11-24 12:59 ` Miklos Szeredi
2009-11-30 12:28 ` Pavel Machek
2009-11-30 19:21 ` Eric W. Biederman
2009-11-24 13:13 ` Duane Griffin
2009-11-24 13:13 ` Duane Griffin
2009-11-30 19:00 ` Jamie Lokier
2009-12-01 8:56 ` Duane Griffin
2009-12-01 8:56 ` Duane Griffin
2009-12-16 12:31 ` Al Viro
2009-12-20 19:59 ` Pavel Machek [this message]
2009-12-20 21:04 ` Al Viro
2009-12-20 21:06 ` Pavel Machek
2009-12-20 21:23 ` Al Viro
2010-01-01 15:40 ` Pavel Machek
2010-01-10 4:42 ` Al Viro
2009-12-01 13:15 ` Jeff Layton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091220195903.GG23917@elf.ucw.cz \
--to=pavel@ucw.cz \
--cc=ebiederm@xmission.com \
--cc=jamie@shareable.org \
--cc=jlayton@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.