From: Serge Hallyn <serge.hallyn@ubuntu.com>
To: Miklos Szeredi <miklos@szeredi.hu>,
Alexander Viro <viro@zeniv.linux.org.uk>,
"Eric W. Biederman" <ebiederm@xmission.com>,
fuse-devel@lists.sourceforge.net, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH v2 1/3] vfs: Check for invalid i_uid in may_follow_link()
Date: Fri, 5 Sep 2014 19:23:34 +0000 [thread overview]
Message-ID: <20140905192334.GR16450@ubuntumail> (raw)
In-Reply-To: <20140905190053.GB84919@ubuntu-hedt>
Quoting Seth Forshee (seth.forshee@canonical.com):
> On Fri, Sep 05, 2014 at 05:05:09PM +0000, Serge Hallyn wrote:
> > Quoting Seth Forshee (seth.forshee@canonical.com):
> > > Filesystem uids which don't map into a user namespace may result
> > > in inode->i_uid being INVALID_UID. A symlink and its parent
> > > could have different owners in the filesystem can both get
> > > mapped to INVALID_UID, which may result in following a symlink
> > > when this would not have otherwise been permitted. Prevent this
> > > by adding a check that the uid is valid before the comparison.
> > >
> > > Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
> >
> > I'm a bit uncomfortable about this, but I can't put my finger
> > on why. Wonder if it could mess up root looking into
> > a malicious user's task by looking under /proc/self/root.
> > I suppose not, as this should only be the case (with root in
> > init_user_ns) for fuse?
> >
> > Anyway it seems needed for keeping root from falling into a trap.
>
> This shouldn't mess up looking into /proc/self/root or anything else
> where the symlink isn't under control of the malicious user. Plus this
> restriction only applies to world-writable directories with the sticky
> bit set.
Oh - yeah, i saw that and glossed over it for some reason. Thanks.
> > Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
> >
> > > ---
> > > fs/namei.c | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/fs/namei.c b/fs/namei.c
> > > index a996bb48dfab..193da09e903e 100644
> > > --- a/fs/namei.c
> > > +++ b/fs/namei.c
> > > @@ -741,7 +741,7 @@ static inline int may_follow_link(struct path *link, struct nameidata *nd)
> > > return 0;
> > >
> > > /* Allowed if parent directory and link owner match. */
> > > - if (uid_eq(parent->i_uid, inode->i_uid))
> > > + if (uid_valid(inode->i_uid) && uid_eq(parent->i_uid, inode->i_uid))
> > > return 0;
> > >
> > > audit_log_link_denied("follow_link", link);
> > > --
> > > 1.9.1
> > >
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
> > Please read the FAQ at http://www.tux.org/lkml/
next prev parent reply other threads:[~2014-09-05 19:23 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-02 15:44 [PATCH v2 0/3] fuse: Add support for mounts from pid/user namespaces Seth Forshee
2014-09-02 15:44 ` [PATCH v2 1/3] vfs: Check for invalid i_uid in may_follow_link() Seth Forshee
2014-09-05 17:05 ` Serge Hallyn
2014-09-05 19:00 ` Seth Forshee
2014-09-05 19:23 ` Serge Hallyn [this message]
2014-09-02 15:44 ` [PATCH v2 2/3] fuse: Translate pids passed to userspace into pid namespaces Seth Forshee
2014-09-05 17:10 ` Serge Hallyn
2014-09-02 15:44 ` [PATCH v2 3/3] fuse: Add support for mounts from user namespaces Seth Forshee
2014-09-05 16:48 ` Serge Hallyn
2014-09-05 17:36 ` Seth Forshee
2014-09-05 19:25 ` Serge Hallyn
[not found] ` <1409672696-15847-1-git-send-email-seth.forshee-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
2014-09-05 20:40 ` [PATCH v2 0/3] fuse: Add support for mounts from pid/user namespaces Seth Forshee
2014-09-05 20:40 ` Seth Forshee
2014-09-10 12:35 ` Seth Forshee
2014-09-10 12:35 ` Seth Forshee
2014-09-10 16:21 ` Serge E. Hallyn
2014-09-10 16:42 ` Seth Forshee
2014-09-11 18:10 ` Seth Forshee
2014-09-23 22:29 ` Eric W. Biederman
2014-09-24 13:29 ` Seth Forshee
2014-09-24 17:10 ` Eric W. Biederman
2014-09-25 15:04 ` Miklos Szeredi
2014-09-25 16:21 ` Seth Forshee
2014-09-25 18:05 ` Eric W. Biederman
2014-09-25 18:44 ` Seth Forshee
2014-09-25 18:53 ` Seth Forshee
2014-09-25 19:14 ` Eric W. Biederman
2014-09-25 19:48 ` Seth Forshee
2014-09-27 1:41 ` Eric W. Biederman
2014-09-27 1:41 ` Eric W. Biederman
2014-09-27 4:24 ` Seth Forshee
2014-09-29 19:34 ` Eric W. Biederman
[not found] ` <87tx3qdxuz.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-09-30 16:25 ` Seth Forshee
2014-09-30 16:25 ` Seth Forshee
2014-10-05 16:48 ` Seth Forshee
2014-10-06 16:00 ` Serge Hallyn
2014-10-06 16:31 ` Seth Forshee
2014-10-06 16:36 ` Serge Hallyn
2014-10-06 16:37 ` Michael j Theall
2014-09-23 16:07 ` Miklos Szeredi
2014-09-23 16:26 ` Seth Forshee
2014-09-23 17:03 ` Miklos Szeredi
2014-09-23 17:33 ` Seth Forshee
2014-09-23 21:46 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140905192334.GR16450@ubuntumail \
--to=serge.hallyn@ubuntu.com \
--cc=ebiederm@xmission.com \
--cc=fuse-devel@lists.sourceforge.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.