From: Willy Tarreau <w@1wt.eu>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Oleg Nesterov <oleg@redhat.com>,
Brad Spengler <spender@grsecurity.net>,
Al Viro <viro@zeniv.linux.org.uk>, Ingo Molnar <mingo@kernel.org>,
"security@kernel.org" <security@kernel.org>,
linux-kernel@vger.kernel.org,
Linux FS Devel <linux-fsdevel@vger.kernel.org>
Subject: Re: [PATCH v2] vfs: Tighten up linkat(..., AT_EMPTY_PATH)
Date: Wed, 21 Aug 2013 22:16:14 +0200 [thread overview]
Message-ID: <20130821201614.GJ23677@1wt.eu> (raw)
In-Reply-To: <CALCETrW7+LcexA6v6RQDKhni_yJAduOmiSDneCpq3v8sPDvwUQ@mail.gmail.com>
On Wed, Aug 21, 2013 at 12:33:24PM -0700, Andy Lutomirski wrote:
> On Wed, Aug 21, 2013 at 12:29 PM, Linus Torvalds
> <torvalds@linux-foundation.org> wrote:
> > On my phone, sorry. Removed lists due to HTML crud..
OK no HTML from me here, so re-adding the 3 lists if that can help reaching
an end faster on this stuff.
> > If the issue is just reopening a read-only file descriptor, then why isn't
> > this an issue for just regular openat?
> >
> > Iow, I get the feeling this isn't about flink, but about AT_EMPTY_PATH in
> > general.
That's my understanding as well since it's what replaces /proc/self/fd/ which
is he difference in this case. However AT_EMPTY_PATH is currently limited to
linkat(2), fstatat(2) and name_to_handle_at(2) from what I'm seeing, so it
looks like only linkat would permit the calling process to gain more permissions
by using it when it has no /proc access.
> Dunno, since I still haven't come up with a real-world attack here.
> Maybe someone chroots, runs something in the chroot, kills that thing,
> and then expects that it hasn't somehow retained access to the file
> (by, say, linking it).
In my understanding, it does not necessarily need to klil that thing to
get an issue. Let's imagine a completely made up example. A malware
scanner on a proxy uses sandboxes to analyse suspicious contents. For
this it holds a read-only mmap to the signature database, forks and
chroots the scanner process to avoid any risk of getting fooled by the
malicious code. If the malicious code manages to execute some code in
the context of the sandboxed scanner that still has access to the
signature db, it could use linkat(AT_EMPTH_PATH) to this fd to recreate
a file in the chroot, and reopen it R/W to modify it and remove any trace
of its signature.
Sure it's a bit far-fetched, but I think that between this and the most
trivial case, there might be a few real world cases. Also I still feel
concerned by the ability for an unprivileged process to create device
nodes in a chroot using this. I don't have any immediate impact in mind
but I tend to design my chroots so that I'm sure there is no way to get
a /dev there, and this would leave me a bit of doubt.
> It may pay to consider some (opt-in) hardening of procfs's follow_link.
I agree. A mount option would be great for some constrained environments.
> Sometimes I wish that hardlinks had never been invented and that
> people had gone straight to cow links.
>
> --Andy
:-)
Willy
next prev parent reply other threads:[~2013-08-21 20:16 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-21 19:14 [PATCH v2] vfs: Tighten up linkat(..., AT_EMPTY_PATH) Andy Lutomirski
[not found] ` <CA+55aFxi-ps2f2M8xPhfbuQ0pToqupPrDsLi2+GPUK2sqdYfUw@mail.gmail.com>
[not found] ` <CALCETrW7+LcexA6v6RQDKhni_yJAduOmiSDneCpq3v8sPDvwUQ@mail.gmail.com>
2013-08-21 20:16 ` Willy Tarreau [this message]
2013-08-22 18:48 ` Linus Torvalds
2013-08-22 18:53 ` Willy Tarreau
2013-08-22 19:05 ` Andy Lutomirski
2013-08-22 19:23 ` Linus Torvalds
2013-08-22 20:10 ` Andy Lutomirski
2013-08-22 20:15 ` Willy Tarreau
2013-08-22 20:22 ` Andy Lutomirski
2013-08-22 20:44 ` Linus Torvalds
2013-08-22 20:48 ` Andy Lutomirski
2013-08-22 20:54 ` Linus Torvalds
2013-08-22 20:58 ` Andy Lutomirski
2013-08-23 1:07 ` Al Viro
2013-08-25 3:37 ` Al Viro
2013-08-25 7:26 ` Andy Lutomirski
2013-08-25 14:23 ` Al Viro
2013-08-25 17:04 ` Andy Lutomirski
2013-08-25 19:57 ` Linus Torvalds
2013-08-25 20:06 ` Al Viro
2013-08-25 20:23 ` Linus Torvalds
2013-08-26 17:37 ` Linus Torvalds
2013-08-26 18:07 ` Linus Torvalds
2013-08-26 18:11 ` Andy Lutomirski
2013-08-27 19:16 ` [RFC PATCH] fs: Add user_file_or_path_at and use it for truncate Andy Lutomirski
2013-08-27 19:32 ` Linus Torvalds
2013-08-27 20:28 ` Andy Lutomirski
2013-08-28 6:16 ` Al Viro
2013-08-28 16:24 ` Linus Torvalds
2013-08-28 19:04 ` Andy Lutomirski
2013-08-28 19:59 ` Al Viro
2013-08-28 21:07 ` Andy Lutomirski
2013-08-27 23:08 ` Al Viro
2013-08-27 23:13 ` Andy Lutomirski
2013-08-24 18:29 ` /proc/pid/fd && anon_inode_fops Oleg Nesterov
2013-08-24 21:24 ` Willy Tarreau
2013-08-25 5:23 ` Al Viro
2013-08-25 6:50 ` Willy Tarreau
2013-08-25 18:51 ` Linus Torvalds
2013-08-25 19:48 ` Oleg Nesterov
2013-08-25 20:05 ` Linus Torvalds
2013-08-26 15:33 ` Oleg Nesterov
2013-08-26 16:37 ` Oleg Nesterov
2013-08-26 17:54 ` [PATCH] proc: make proc_fd_permission() thread-friendly Oleg Nesterov
2013-08-26 18:09 ` Linus Torvalds
2013-08-26 19:35 ` Linus Torvalds
2013-08-26 20:20 ` Willy Tarreau
2013-08-27 15:05 ` Oleg Nesterov
2013-08-27 14:39 ` [PATCH 0/1] proc: make /proc/self point to thread Oleg Nesterov
2013-08-27 14:40 ` [PATCH 1/1] " Oleg Nesterov
2013-08-27 16:39 ` Linus Torvalds
2013-08-27 17:49 ` Oleg Nesterov
2013-08-27 18:15 ` Linus Torvalds
2013-08-27 18:28 ` Oleg Nesterov
[not found] ` <CALCETrXP-mYBPRon=0NzexW1FK1Qxz2+Bwv7-WeHBQpvW7ywRg@mail.gmail.com>
2013-08-27 15:45 ` [PATCH] proc: make proc_fd_permission() thread-friendly Oleg Nesterov
2013-08-26 18:32 ` Eric W. Biederman
2013-08-26 18:46 ` Oleg Nesterov
2013-08-26 18:56 ` Oleg Nesterov
2013-08-26 19:10 ` Eric W. Biederman
2013-08-27 14:53 ` Oleg Nesterov
2013-08-25 18:32 ` /proc/pid/fd && anon_inode_fops Linus Torvalds
2013-08-25 19:11 ` Al Viro
2013-08-25 19:17 ` Andy Lutomirski
2013-09-03 15:58 ` Pavel Machek
2013-08-25 15:45 ` Oleg Nesterov
[not found] ` <20130825051044.GY27005@ZenIV.linux.org.uk>
[not found] ` <20130825155348.GB25922@redhat.com>
[not found] ` <CALCETrXrtP2C+g=QeNWK4EMctmonW91kWoO1xmy7rDmEj__1Dw@mail.gmail.com>
[not found] ` <20130825174936.GA30957@redhat.com>
2013-08-25 17:55 ` [PATCH 0/1] anon_inodefs: forbid open via /proc Oleg Nesterov
2013-08-25 17:55 ` [PATCH 1/1] " Oleg Nesterov
2013-08-22 19:39 ` [PATCH v2] vfs: Tighten up linkat(..., AT_EMPTY_PATH) Willy Tarreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130821201614.GJ23677@1wt.eu \
--to=w@1wt.eu \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mingo@kernel.org \
--cc=oleg@redhat.com \
--cc=security@kernel.org \
--cc=spender@grsecurity.net \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.