From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Serge E. Hallyn" Subject: Re: symlinks with permissions Date: Mon, 26 Oct 2009 11:57:29 -0500 Message-ID: <20091026165729.GF23564@us.ibm.com> References: <20091025062953.GC1391@ucw.cz> <20091026163157.GB7233@duck.suse.cz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Pavel Machek , kernel list , linux-fsdevel@vger.kernel.org, viro@zeniv.linux.org.uk, jamie@shareable.org To: Jan Kara Return-path: Content-Disposition: inline In-Reply-To: <20091026163157.GB7233@duck.suse.cz> Sender: linux-kernel-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org Quoting Jan Kara (jack@suse.cz): > Hi, > > On Sun 25-10-09 07:29:53, Pavel Machek wrote: > > ...yes, they do exist, in /proc/self/fd/* . Unfortunately, their > > permissions are not actually checked during open, resulting in > > (obscure) security hole: if you have fd open for reading, you can > > reopen it for write, even through unix permissions would not allow > > that. > > > > Now... I'd like to close the hole. One way would be to actually check > > symlink permissions on open -- because those symlinks already have > > correct permissions. > Hmm, I'm not sure I understand the problem. Symlink is just a file > containing a path. So if you try to open a symlink, you will actually open > a file to which the path points. So what security problem is here? Either > you can open the file symlink points to for writing or you cannot... > Anyway, if you want to play with this, > fs/proc/base.c:proc_pid_follow_link > is probably the function you are interested in. The problem he's trying to address is that users may try to protect a file by doing chmod 700 on the parent dir, but leave the file itself accessible. They don't realize that merely having a task with an open fd to that file gives other users another path to the file. Whether or not that's actually a problem is open to debate, but I think he's right that many users aren't aware of it. -serge