From: Solar Designer <solar@openwall.com>
To: kernel-hardening@lists.openwall.com
Subject: Re: [kernel-hardening] symlink/hardlink/FIFO restrictions
Date: Wed, 7 Jun 2017 00:16:17 +0200 [thread overview]
Message-ID: <20170606221617.GA14451@openwall.com> (raw)
In-Reply-To: <20170606215534.GA13126@openwall.com>
On Tue, Jun 06, 2017 at 11:55:34PM +0200, Solar Designer wrote:
> The symlink restrictions in -ow vs. grsecurity look similar to me, but
> Kees' patches that eventually got merged upstream introduce an extra
> limitation on when the restrictions (do not) apply. In Kees' patches as
> posted in here, it was the "bool sensitive" parameter to follow_link(),
> which one of the calls set to false. In upstream code, the check is now
> only in the new trailing_symlink() function, which I guess is called in
> similar cases. As the name suggests, this probably means the symlink
> restrictions are only applied to last ("trailing") symlinks in a chain
> (and hopefully to symlinks on their own as well, without a chain).
> I guess this was suggested at some point, perhaps with some rationale
> given, but I didn't watch those many threads closely and missed it.
> Why wouldn't a "nested" symlink be used for a successful attack? The
> attacker can then provide their own "trailing" symlink in a non-+t
> directory pointing to the ultimate target. But maybe I misunderstand
> what is called "trailing" vs. "nested" in there?
I spoke too soon - should read code rather than derive meaning from
names. Looks like it's nested vs. trailing components in a pathname.
So we're only protecting against bad symlinks for the last pathname
component - not for upper directories in the path. Indeed, for typical
vulnerable programs it's the last pathname component that would be
attacked, but I am not sure if it's always the case nor whether we
needed this limitation in this security feature for some desirable uses.
Does this mean symlink attacks against not-yet-created directories like
/tmp/.X11-unix (so perhaps during the system's bootup, maybe when it
already started sshd but not yet X) are still possible even with the
feature enabled?
Alexander
next prev parent reply other threads:[~2017-06-06 22:16 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-06 21:55 [kernel-hardening] symlink/hardlink/FIFO restrictions Solar Designer
2017-06-06 22:16 ` Solar Designer [this message]
2017-06-06 22:57 ` Solar Designer
2017-06-07 4:00 ` Kees Cook
2017-06-07 4:10 ` Kees Cook
2017-06-07 12:06 ` Solar Designer
2017-06-23 4:27 ` Kees Cook
2017-06-24 14:43 ` Solar Designer
2017-09-13 15:32 ` Salvatore Mesoraca
2017-09-14 1:00 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170606221617.GA14451@openwall.com \
--to=solar@openwall.com \
--cc=kernel-hardening@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.