From: Chris Wright <chris@wirex.com>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: xystrus <xystrus@haxm.com>, linux-kernel@vger.kernel.org
Subject: Re: link() security
Date: Sat, 13 Apr 2002 18:49:13 -0700 [thread overview]
Message-ID: <20020413184913.E6039@figure1.int.wirex.com> (raw)
In-Reply-To: <20020411181524.A1463@figure1.int.wirex.com> <E16wQsU-0000cb-00@the-village.bc.nu>
* Alan Cox (alan@lxorguk.ukuu.org.uk) wrote:
>
> How practical is it to make this a mount option and to do so cleanly ?
Well, it's not too bad. Below is a patch (albeit quick and dirty)
that adds a MS_SECURE_LINK mount option to enforce this behaviour.
To simplify testing, I cheated and piggy backed the MS_SECURE_LINK option
on the MS_NOSUID option. So a simple 'mount -o nosuid,remount /foo'
enables this. The secure link test allows a hard link if you own the
target file or are in the same group _and_ can (by group) write to
the file, or have proper capability, of course. Patch is against
2.4.19-pre5-ac3.
cheers,
-chris
--- 2.4.19-pre5-ac3/fs/namespace.c.link Sat Apr 13 18:06:21 2002
+++ 2.4.19-pre5-ac3/fs/namespace.c Sat Apr 13 18:12:11 2002
@@ -707,8 +707,10 @@
return -EINVAL;
/* Separate the per-mountpoint flags */
- if (flags & MS_NOSUID)
+ if (flags & MS_NOSUID) {
mnt_flags |= MNT_NOSUID;
+ flags |= MS_SECURE_LINK;
+ }
if (flags & MS_NODEV)
mnt_flags |= MNT_NODEV;
if (flags & MS_NOEXEC)
--- 2.4.19-pre5-ac3/fs/namei.c.link Sat Apr 13 18:06:21 2002
+++ 2.4.19-pre5-ac3/fs/namei.c Sat Apr 13 18:12:11 2002
@@ -1614,6 +1614,11 @@
error = -EPERM;
if (IS_APPEND(inode) || IS_IMMUTABLE(inode))
goto exit_lock;
+ if (IS_SECURE_LINK(inode) && (!capable(CAP_FOWNER) &&
+ current->fsuid != inode->i_uid &&
+ (current->fsgid != inode->i_gid ||
+ !(inode->i_mode & S_IWGRP))))
+ goto exit_lock;
if (!dir->i_op || !dir->i_op->link)
goto exit_lock;
--- 2.4.19-pre5-ac3/include/linux/fs.h.link Sat Apr 13 18:06:21 2002
+++ 2.4.19-pre5-ac3/include/linux/fs.h Sat Apr 13 18:15:38 2002
@@ -111,6 +111,7 @@
#define MS_MOVE 8192
#define MS_REC 16384
#define MS_VERBOSE 32768
+#define MS_SECURE_LINK 65536
#define MS_ACTIVE (1<<30)
#define MS_NOUSER (1<<31)
@@ -118,7 +119,7 @@
* Superblock flags that can be altered by MS_REMOUNT
*/
#define MS_RMT_MASK (MS_RDONLY|MS_SYNCHRONOUS|MS_MANDLOCK|MS_NOATIME|\
- MS_NODIRATIME)
+ MS_NODIRATIME|MS_SECURE_LINK)
/*
* Old magic mount flag and mask
@@ -161,6 +162,7 @@
#define IS_IMMUTABLE(inode) ((inode)->i_flags & S_IMMUTABLE)
#define IS_NOATIME(inode) (__IS_FLG(inode, MS_NOATIME) || ((inode)->i_flags & S_NOATIME))
#define IS_NODIRATIME(inode) __IS_FLG(inode, MS_NODIRATIME)
+#define IS_SECURE_LINK(inode) __IS_FLG(inode, MS_SECURE_LINK)
#define IS_DEADDIR(inode) ((inode)->i_flags & S_DEAD)
next prev parent reply other threads:[~2002-04-14 1:49 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-04-11 23:21 link() security xystrus
2002-04-12 1:15 ` Chris Wright
2002-04-13 16:59 ` Alan Cox
2002-04-13 17:02 ` xystrus
2002-04-14 1:49 ` Chris Wright [this message]
2002-04-15 14:44 ` Patrick J. LoPresti
2002-04-15 19:25 ` H. Peter Anvin
2002-04-15 22:48 ` Alan Cox
2002-04-15 23:05 ` H. Peter Anvin
2002-04-15 23:28 ` Alan Cox
2002-04-15 23:14 ` H. Peter Anvin
2002-04-16 0:01 ` Kurt Wall
2002-04-15 21:41 ` xystrus
2002-05-06 5:00 ` Albert D. Cahalan
-- strict thread matches above, loose matches on Subject: below --
2002-04-13 17:48 Hank Leininger
2002-04-15 19:36 Chris Adams
2002-04-15 19:55 ` H. Peter Anvin
2002-04-15 20:36 ` Patrick J. LoPresti
2002-04-16 1:37 ` H. Peter Anvin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20020413184913.E6039@figure1.int.wirex.com \
--to=chris@wirex.com \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=xystrus@haxm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox