From: Solar Designer <solar@openwall.com>
To: kernel-hardening@lists.openwall.com
Subject: Re: [kernel-hardening] symlink/hardlink/FIFO restrictions
Date: Wed, 7 Jun 2017 00:57:39 +0200 [thread overview]
Message-ID: <20170606225739.GA14682@openwall.com> (raw)
In-Reply-To: <20170606221617.GA14451@openwall.com>
On Wed, Jun 07, 2017 at 12:16:17AM +0200, Solar Designer wrote:
> So we're only protecting against bad symlinks for the last pathname
> component - not for upper directories in the path. Indeed, for typical
> vulnerable programs it's the last pathname component that would be
> attacked, but I am not sure if it's always the case nor whether we
> needed this limitation in this security feature for some desirable uses.
>
> Does this mean symlink attacks against not-yet-created directories like
> /tmp/.X11-unix (so perhaps during the system's bootup, maybe when it
> already started sshd but not yet X) are still possible even with the
> feature enabled?
Confirmed this by testing (with a dummy user-owned directory in /tmp).
I think this is actually fine, because we were not protecting against a
variation of those attacks anyway: where the attacker could have created
a non-+t directory of their own in place of /tmp/.X11-unix or the like.
Then symlinks placed in that directory wouldn't be protected anyway.
If we tried to protect against such "directory attacks", it'd be very
similar to the "no unsafe writes" policy (and maybe "no unsafe reads"
too) I mentioned in the thread about TPE here. (Even though I admit
it's out of scope / off-topic for TPE.)
Alexander
next prev parent reply other threads:[~2017-06-06 22:57 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-06 21:55 [kernel-hardening] symlink/hardlink/FIFO restrictions Solar Designer
2017-06-06 22:16 ` Solar Designer
2017-06-06 22:57 ` Solar Designer [this message]
2017-06-07 4:00 ` Kees Cook
2017-06-07 4:10 ` Kees Cook
2017-06-07 12:06 ` Solar Designer
2017-06-23 4:27 ` Kees Cook
2017-06-24 14:43 ` Solar Designer
2017-09-13 15:32 ` Salvatore Mesoraca
2017-09-14 1:00 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170606225739.GA14682@openwall.com \
--to=solar@openwall.com \
--cc=kernel-hardening@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.