From mboxrd@z Thu Jan 1 00:00:00 1970 From: Al Viro Subject: Re: [PATCH v3] fs: allow protected cross-uid sticky symlinks Date: Tue, 1 Jun 2010 22:45:27 +0100 Message-ID: <20100601214527.GU31073@ZenIV.linux.org.uk> References: <20100601185248.GB4098@outflux.net> <20100601190102.GT31073@ZenIV.linux.org.uk> <20100601210734.GD4098@outflux.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Eric Paris , Christoph Hellwig , James Morris , linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-doc@vger.kernel.org, Randy Dunlap , Andrew Morton , Jiri Kosina , Dave Young , Martin Schwidefsky , David Howells , Ingo Molnar , Peter Zijlstra , "Eric W. Biederman" , Tim Gardner , "Serge E. Hallyn" To: Kees Cook Return-path: Content-Disposition: inline In-Reply-To: <20100601210734.GD4098@outflux.net> Sender: linux-doc-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org On Tue, Jun 01, 2010 at 02:07:34PM -0700, Kees Cook wrote: > > I don't buy it. If we are concerned about the symlinks in the middle of > > pathname, your checks are useless (mkdir /tmp/a, ln -s whatever /tmp/a/b, > > have victim open /tmp/a/b/something). If we are not, then your checks are > > in the wrong place. > > Well, that's not traditionally where the problems happen, but I have no > problem strengthening the protection to include a full examination of the > entire path looking for sticky/world-writable directories. > > If not, what is the right place for the checks? Handling of trailing symlink on open(). At most. And I wouldn't be surprised if the real answer turns out to include "... if we have O_CREAT in flags", but that needs to be determined.