concerns about non-root subvol snapshots

linux-btrfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Kees Cook <kees.cook@canonical.com>
To: linux-btrfs@vger.kernel.org
Subject: concerns about non-root subvol snapshots
Date: Wed, 11 Aug 2010 13:11:27 -0700	[thread overview]
Message-ID: <20100811201127.GZ4138@outflux.net> (raw)

Hi,

I have some concerns about how brtfs access-checks the creation of
subvol snapshots. AIUI, only the destination is validated, which
basically results in a super-powerful hardlink ability. Normally,
hardlinking is possible to individual files in the same way, which
results in creation a small attack surface (i.e. if /etc and /home are
in the same fs, link /etc/shadow to ~/.bad-admin-app.rc and exploit a
vulnerability in bad-admin-app to stomp on /etc/shadow). In the case of
a btrfs subvol snapshot, a user could duplicate an entire tree of their
choice, even stuff that the user cannot see (/var/log/audit could now be
linked into ~/.bad-admin-app/var/log/audit).

I'm aware that due to DAC and MAC, when being enforced, these duplicated
trees are generally considered safe, but my concerns come from the looming
specter of misbehaving admin tools (which have in the past been tricked
by hardlinks from time to time). In this case, that tool couldn't even
check hardlink count. :)

My knee-jerk reaction is that using subvol snapshot should require
CAP_SYS_RESOURCE or CAP_SYS_ADMIN instead of just "anyone". Though perhaps
this should be a mount option, I'm not entirely sure.

Any thoughts on how to accomplish this?

Thanks,

-Kees

-- 
Kees Cook
Ubuntu Security Team

                 reply	other threads:[~2010-08-11 20:11 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20100811201127.GZ4138@outflux.net \
    --to=kees.cook@canonical.com \
    --cc=linux-btrfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).