Hi,

Avoiding race conditions and symlink attacks is a difficult task (the
attachment is a PoC which reads /etc/passwd in the host filesystem).
Unfortunately, I don't see any immediate solution.

I think that good practice would be to chroot to p9dev->root_dir, but it
requires root privileges (or user namespaces, but CLONE_NEWUSER isn't
available or enabled on every distros). Additionally, current directory
and root directory are shared amongst pthreads, so it doesn't fit in the
current thread model.
Although requiring a lot of work, it's the safest solution IMHO.

I tried to make a draft patch based on "at" functions (openat, unlinkat,
etc.) against a few filesystem operations (open, mkdir, and remove). I
believe it's secure, but it introduces a lot of overhead. A more elegant
solution might exist, but I didn't find it...

Cheers

On 04/09/2016 04:53 PM, André Przywara wrote:
> I quickly checked the code you mentioned and your reasoning seems valid.
> Since you seem to have experience in those things, do you care to make
> patches for fixing it?
> Is there any good practices for constructing file names while making
> sure they stay within a certain hierarchy? Is realpath() a safe way?
> 
> I started fixing every occurrence of strcpy, strcat, sprintf and scanf
> and will send the fixes ASAP, but would love to see some suggestion on
> how to address the file name construction issues you mentioned.
> 
> Cheers,
> Andre.