linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Jamie Lokier <jamie@shareable.org>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: Pavel Machek <pavel@ucw.cz>,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	Trond Myklebust <trond.myklebust@fys.uio.no>,
	Jan Kara <jack@suse.cz>, "J. Bruce Fields" <bfields@fieldses.org>,
	"Serge E. Hallyn" <serue@us.ibm.com>,
	kernel list <linux-kernel@vger.kernel.org>,
	linux-fsdevel@vger.kernel.org, viro@zeniv.linux.org.uk
Subject: Re: symlinks with permissions
Date: Wed, 28 Oct 2009 19:44:51 +0000	[thread overview]
Message-ID: <20091028194451.GC17475@shareable.org> (raw)
In-Reply-To: <4AE87292.20802@schaufler-ca.com>

Casey Schaufler wrote:
> Pavel Machek wrote:
> > The actual permissions of the file are not ignored, but permissions of
> > the containing directory _are_. If there's 666 file in 700 directory,
> > you can reopen it read-write, in violation of directory's 700
> > permissions.
> > 									Pavel
> 
> There is no security violation here. Consider the case where
> the file is unlinked after it is opened. What directory permissions
> would matter in that case?

That's an even worse security violation.

If you have a file opened read-only which is unlinked (and there's no
other file descriptors to it), it is impossible to modify the file
except through this quirk of /proc/NN/fd.  In traditional unix, it is
impossible to modify full stop.  Even root can't write to it.

Paths are in this discussion as an *example* of something that cannot
be done except through /proc/NN/fd.  Paths are not the issue.

As you've noticed, the same security hole occurs for files which have
been unlinked and don't have any path.

The real issue is gaining more access to an open file than you had before.

> Or what about the case where the file
> has a link count of 2, say /a/foo and /b/ish are hard links. If
> /a is 777 and /b is 700 what would your position be regarding
> the file descriptor obtained by opening /b/ish?

It depends on the flag passed to open() when the file descriptor is
obtained.  That's where the pseudo-symlink permission comes from,
which is what Pavel is getting it.

> The path name is an ethereal convenience and once traversed has no
> bearing on the security state of the object.

That's right.  The security state should depend _only_ on the
file open mode, that is O_RDONLY/WRONLY/RDWR/APPEND.

That is more or less what Pavel is saying too, because the
pseudo-symlink permission is calculated from the file open mode
(except for O_APPEND, which is why it shouldn't be done using the
pseudo-symlink permission).  Ignore the path aspect, it's just a distraction.

-- Jamie

  reply	other threads:[~2009-10-28 19:44 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-10-25  6:29 symlinks with permissions Pavel Machek
2009-10-26 16:31 ` Jan Kara
2009-10-26 16:57   ` Serge E. Hallyn
2009-10-26 17:36     ` J. Bruce Fields
2009-10-26 17:46       ` Jan Kara
2009-10-26 17:57         ` Trond Myklebust
2009-10-25  9:36           ` Pavel Machek
2009-10-26 18:22             ` Trond Myklebust
2009-10-27  8:11               ` Pavel Machek
2009-10-27 10:27                 ` Jamie Lokier
2009-10-26 18:35             ` J. Bruce Fields
2009-10-28  4:15             ` Eric W. Biederman
2009-10-28  8:16               ` Pavel Machek
2009-10-28 11:25                 ` Eric W. Biederman
2009-10-28 21:03                   ` Pavel Machek
2009-10-29  2:20                     ` Eric W. Biederman
2009-10-29 11:03                       ` Pavel Machek
2009-10-29 16:23                         ` Eric W. Biederman
2009-10-30 18:35                           ` Pavel Machek
2009-10-30 20:37                             ` Nick Bowler
2009-10-30 23:03                             ` Eric W. Biederman
2009-10-31  2:30                               ` Jamie Lokier
2009-10-28 16:34                 ` Casey Schaufler
2009-10-28 19:44                   ` Jamie Lokier [this message]
2009-10-28 21:06                   ` Pavel Machek
2009-10-26 18:02         ` J. Bruce Fields
2009-10-26 17:57       ` Serge E. Hallyn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20091028194451.GC17475@shareable.org \
    --to=jamie@shareable.org \
    --cc=bfields@fieldses.org \
    --cc=casey@schaufler-ca.com \
    --cc=ebiederm@xmission.com \
    --cc=jack@suse.cz \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pavel@ucw.cz \
    --cc=serue@us.ibm.com \
    --cc=trond.myklebust@fys.uio.no \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).