[kernel-hardening] Re: [PATCH v2011.1] fs: symlink restrictions on sticky directories

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Randy Dunlap <rdunlap@xenotime.net>
To: Kees Cook <keescook@chromium.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	Al Viro <viro@zeniv.linux.org.uk>,
	linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
	linux-doc@vger.kernel.org, Rik van Riel <riel@redhat.com>,
	Federica Teodori <federica.teodori@googlemail.com>,
	Lucian Adrian Grijincu <lucian.grijincu@gmail.com>,
	Ingo Molnar <mingo@elte.hu>,
	Peter Zijlstra <a.p.zijlstra@chello.nl>,
	Eric Paris <eparis@redhat.com>,
	Dan Rosenberg <drosenberg@vsecurity.com>,
	kernel-hardening@lists.openwall.com
Subject: [kernel-hardening] Re: [PATCH v2011.1] fs: symlink restrictions on sticky directories
Date: Wed, 07 Dec 2011 10:22:07 -0800	[thread overview]
Message-ID: <4EDFAECF.9010407@xenotime.net> (raw)
In-Reply-To: <20111206235815.GA21764@www.outflux.net>

On 12/06/2011 03:58 PM, Kees Cook wrote:
>  Documentation/sysctl/fs.txt |   21 ++++++++++++
>  fs/Kconfig                  |   15 ++++++++
>  fs/namei.c                  |   77 +++++++++++++++++++++++++++++++++++++++---
>  kernel/sysctl.c             |   10 +++++
>  4 files changed, 117 insertions(+), 6 deletions(-)


> diff --git a/fs/Kconfig b/fs/Kconfig
> index 5f4c45d..74b9e49 100644
> --- a/fs/Kconfig
> +++ b/fs/Kconfig
> @@ -278,3 +278,18 @@ source "fs/nls/Kconfig"
>  source "fs/dlm/Kconfig"
>  
>  endmenu
> +
> +config PROTECTED_STICKY_SYMLINKS
> +	bool "Protect symlink following in sticky world-writable directories"
> +	help
> +	  A long-standing class of security issues is the symlink-based
> +	  time-of-check-time-of-use race, most commonly seen in
> +	  world-writable directories like /tmp. The common method of
> +	  exploitation of this flaw is to cross privilege boundaries
> +	  when following a given symlink (i.e. a root process follows
> +	  a malicious symlink belonging to another user).
> +
> +	  Enabling this solves the problem by permitting symlinks to only

better:

	  Enabling this solves the problem by permitting symlinks to be followed
	  only when the uid ...

> +	  be followed when outside a sticky world-writable directory,
> +	  or when the uid of the symlink and follower match, or when
> +	  the directory and symlink owners match.
> diff --git a/fs/namei.c b/fs/namei.c
> index 5008f01..c4d0bfc 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -624,10 +625,69 @@ static inline void put_link(struct nameidata *nd, struct path *link, void *cooki
> +
> +/**
> + * may_follow_link - Check symlink following for unsafe situations
> + * @dentry: The inode/dentry of the symlink
> + * @nameidata: The path data of the symlink
> + *
> + * In the case of the protected_sticky_symlinks sysctl being enabled,
> + * CAP_DAC_OVERRIDE needs to be specifically ignored if the symlink is
> + * in a sticky world-writable directory. This is to protect privileged
> + * processes from failing races against path names that may change out
> + * from under them by way of other users creating malicious symlinks.
> + * It will permit symlinks to only be followed when outside a sticky

similar:

      It will permit symlinks to be followed only when outside a sticky

> + * world-writable directory, or when the uid of the symlink and follower
> + * match, or when the directory owner matches the symlink's owner.
> + *
> + * Returns 0 if following the symlink is allowed, -ve on error.
> + */
> +static inline int
> +may_follow_link(struct dentry *dentry, struct nameidata *nameidata)


-- 
~Randy
*** Remember to use Documentation/SubmitChecklist when testing your code ***

WARNING: multiple messages have this Message-ID (diff)

From: Randy Dunlap <rdunlap@xenotime.net>
To: Kees Cook <keescook@chromium.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	Al Viro <viro@zeniv.linux.org.uk>,
	linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
	linux-doc@vger.kernel.org, Rik van Riel <riel@redhat.com>,
	Federica Teodori <federica.teodori@googlemail.com>,
	Lucian Adrian Grijincu <lucian.grijincu@gmail.com>,
	Ingo Molnar <mingo@elte.hu>,
	Peter Zijlstra <a.p.zijlstra@chello.nl>,
	Eric Paris <eparis@redhat.com>,
	Dan Rosenberg <drosenberg@vsecurity.com>,
	kernel-hardening@lists.openwall.com
Subject: Re: [PATCH v2011.1] fs: symlink restrictions on sticky directories
Date: Wed, 07 Dec 2011 10:22:07 -0800	[thread overview]
Message-ID: <4EDFAECF.9010407@xenotime.net> (raw)
In-Reply-To: <20111206235815.GA21764@www.outflux.net>

On 12/06/2011 03:58 PM, Kees Cook wrote:
>  Documentation/sysctl/fs.txt |   21 ++++++++++++
>  fs/Kconfig                  |   15 ++++++++
>  fs/namei.c                  |   77 +++++++++++++++++++++++++++++++++++++++---
>  kernel/sysctl.c             |   10 +++++
>  4 files changed, 117 insertions(+), 6 deletions(-)


> diff --git a/fs/Kconfig b/fs/Kconfig
> index 5f4c45d..74b9e49 100644
> --- a/fs/Kconfig
> +++ b/fs/Kconfig
> @@ -278,3 +278,18 @@ source "fs/nls/Kconfig"
>  source "fs/dlm/Kconfig"
>  
>  endmenu
> +
> +config PROTECTED_STICKY_SYMLINKS
> +	bool "Protect symlink following in sticky world-writable directories"
> +	help
> +	  A long-standing class of security issues is the symlink-based
> +	  time-of-check-time-of-use race, most commonly seen in
> +	  world-writable directories like /tmp. The common method of
> +	  exploitation of this flaw is to cross privilege boundaries
> +	  when following a given symlink (i.e. a root process follows
> +	  a malicious symlink belonging to another user).
> +
> +	  Enabling this solves the problem by permitting symlinks to only

better:

	  Enabling this solves the problem by permitting symlinks to be followed
	  only when the uid ...

> +	  be followed when outside a sticky world-writable directory,
> +	  or when the uid of the symlink and follower match, or when
> +	  the directory and symlink owners match.
> diff --git a/fs/namei.c b/fs/namei.c
> index 5008f01..c4d0bfc 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -624,10 +625,69 @@ static inline void put_link(struct nameidata *nd, struct path *link, void *cooki
> +
> +/**
> + * may_follow_link - Check symlink following for unsafe situations
> + * @dentry: The inode/dentry of the symlink
> + * @nameidata: The path data of the symlink
> + *
> + * In the case of the protected_sticky_symlinks sysctl being enabled,
> + * CAP_DAC_OVERRIDE needs to be specifically ignored if the symlink is
> + * in a sticky world-writable directory. This is to protect privileged
> + * processes from failing races against path names that may change out
> + * from under them by way of other users creating malicious symlinks.
> + * It will permit symlinks to only be followed when outside a sticky

similar:

      It will permit symlinks to be followed only when outside a sticky

> + * world-writable directory, or when the uid of the symlink and follower
> + * match, or when the directory owner matches the symlink's owner.
> + *
> + * Returns 0 if following the symlink is allowed, -ve on error.
> + */
> +static inline int
> +may_follow_link(struct dentry *dentry, struct nameidata *nameidata)


-- 
~Randy
*** Remember to use Documentation/SubmitChecklist when testing your code ***

next prev parent reply	other threads:[~2011-12-07 18:22 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-12-06 23:58 [kernel-hardening] [PATCH v2011.1] fs: symlink restrictions on sticky directories Kees Cook
2011-12-06 23:58 ` Kees Cook
2011-12-07  7:30 ` [kernel-hardening] " Ingo Molnar
2011-12-07  7:30   ` Ingo Molnar
2011-12-07 18:23   ` [kernel-hardening] " Kees Cook
2011-12-07 18:23     ` Kees Cook
2011-12-07 18:22 ` Randy Dunlap [this message]
2011-12-07 18:22   ` Randy Dunlap
2011-12-07 18:26   ` [kernel-hardening] " Kees Cook
2011-12-07 18:26     ` Kees Cook
2011-12-07 18:41 ` [kernel-hardening] " Linus Torvalds
2011-12-07 18:41   ` Linus Torvalds
2011-12-07 18:54   ` [kernel-hardening] " Kees Cook
2011-12-07 18:54     ` Kees Cook
2011-12-07 18:54     ` Kees Cook
2011-12-08  6:34   ` [kernel-hardening] " Frank Kingswood
2011-12-08  6:34     ` Frank Kingswood

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4EDFAECF.9010407@xenotime.net \
    --to=rdunlap@xenotime.net \
    --cc=a.p.zijlstra@chello.nl \
    --cc=akpm@linux-foundation.org \
    --cc=drosenberg@vsecurity.com \
    --cc=eparis@redhat.com \
    --cc=federica.teodori@googlemail.com \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lucian.grijincu@gmail.com \
    --cc=mingo@elte.hu \
    --cc=riel@redhat.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.