From: Hank Leininger <linux-kernel@progressive-comp.com>
To: linux-kernel@vger.kernel.org
Subject: Re: link() security
Date: Sat, 13 Apr 2002 13:48:19 -0400 [thread overview]
Message-ID: <200204131748.g3DHmJS26868@marc2.theaimsgroup.com> (raw)
On 2002-04-13, xystrus <xystrus@haxm.com> wrote:
> On Sat, Apr 13, 2002 at 05:59:54PM +0100, Alan Cox wrote:
> > > http://openwall.com. Work based on Solar Designer's Openwall patch
> > > has been brought forward to more recent 2.4 and 2.5 kernels. Both
> > > the following projects implement the Openwall secure link feature:
> > >
> > > http://grsecurity.net
> > > http://lsm.immunix.org
> > >
> > > This can break some applications that make assumptions wrt. link(2)
> > > (Courier MTA for example).
> >
> > How practical is it to make this a mount option and to do so cleanly ?
...I like the mount option idea, will explore for my next patch... ;)
> Perhaps two options: one to allow creation of the link only when the
> UIDs match; and the other to allow the link when GIDs match, to keep
> Courier happy?
Well, if UIDs match there's no problem. From Openwall (2.2.20 fs/namei.c
at/near line 1312):
if (current->fsuid != inode->i_uid &&
...other tests
I've been using a modification[1] of the Openwall patch to allow the GID
case just as you describe, for some in-house secure drop-directory where
multiple daemons share a GID to play in their queue directory. I've never
used courier but it sounds like that may work w/this change as well. From
2.2.20-hap-5 fs/namei.c line 1318:
#ifdef CONFIG_SECURE_NOTSOMUCH
/*
* Let users hard link to files in their group.
*/
current->fsgid != inode->i_gid &&
#endif
This works well, but the CONFIG_ option name is chosen for a reason; this
has some side effects which may not be desirable. Allowing GID matches
will often result in users being able to hard link to each others files, on
systems where users are all in group 'users' by default (and users have
files in non-0700 directories).
I know the grsecurity guys have ported most of both Openwall and HAP to
2.4, not positive if they carried over the NOTSOMUCH option but it'd be
simple to add. Keep in mind all this violates POSIX standards so isn't
likely to ever be in-kernel, but the patches should be maintained for some
reasonably large value of $forever.
[1] http://www.theaimsgroup.com/~hlein/hap-linux/, the patch has many
other things, just search for CONFIG_SECURE_NOTSOMUCH.
--
Hank Leininger <hlein@progressive-comp.com>
next reply other threads:[~2002-04-13 17:48 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-04-13 17:48 Hank Leininger [this message]
-- strict thread matches above, loose matches on Subject: below --
2002-04-15 19:36 link() security Chris Adams
2002-04-15 19:55 ` H. Peter Anvin
2002-04-15 20:36 ` Patrick J. LoPresti
2002-04-16 1:37 ` H. Peter Anvin
2002-04-11 23:21 xystrus
2002-04-12 1:15 ` Chris Wright
2002-04-13 16:59 ` Alan Cox
2002-04-13 17:02 ` xystrus
2002-04-14 1:49 ` Chris Wright
2002-04-15 14:44 ` Patrick J. LoPresti
2002-04-15 19:25 ` H. Peter Anvin
2002-04-15 22:48 ` Alan Cox
2002-04-15 23:05 ` H. Peter Anvin
2002-04-15 23:28 ` Alan Cox
2002-04-15 23:14 ` H. Peter Anvin
2002-04-16 0:01 ` Kurt Wall
2002-04-15 21:41 ` xystrus
2002-05-06 5:00 ` Albert D. Cahalan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200204131748.g3DHmJS26868@marc2.theaimsgroup.com \
--to=linux-kernel@progressive-comp.com \
--cc=hlein@progressive-comp.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox