From: John Richard Moser <nigelenki@comcast.net>
To: Chris Wright <chrisw@osdl.org>
Cc: "Lorenzo Hernández García-Hierro" <lorenzo@gnu.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] Filesystem linking protections
Date: Mon, 07 Feb 2005 14:43:03 -0500 [thread overview]
Message-ID: <4207C4C7.8080704@comcast.net> (raw)
In-Reply-To: <20050207111235.Y24171@build.pdx.osdl.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chris Wright wrote:
> * Lorenzo Hernández García-Hierro (lorenzo@gnu.org) wrote:
>
>>This patch adds two checks to do_follow_link() and sys_link(), for
>>prevent users to follow (untrusted) symlinks owned by other users in
>>world-writable +t directories (i.e. /tmp), unless the owner of the
>>symlink is the owner of the directory, users will also not be able to
>>hardlink to files they do not own.
>>
>>The direct advantage of this pretty simple patch is that /tmp races will
>>be prevented.
>
>
> The disadvantage is that it can break things and places policy in the
> kernel.
>
It can break things, yes. For example, programs which have and use two
separate FS UIDs at the same time, or which attempt to make hardlinks to
files they don't own without CAP_FOWNER or root (should this just be
CAP_FOWNER? Is root now irrelavent?).
Hang on, when do any programs have 2 FS UIDs at the same time. . . .
I've yet to see this break anything on Ubuntu or Gentoo; Brad Spengler
claims this breaks nothing on Debian. On the other hand, this could
potentially squash the second most prevalent security bug.
> thanks,
> -chris
- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCB8S0hDd4aOud5P8RAvYSAJ9zcGArfbC6i5uM1JW4ZHdELriUzACeOH/q
5ndpSdjporfnFAMK1OrMASE=
=XjWB
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2005-02-07 19:53 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-02-07 18:57 [PATCH] Filesystem linking protections Lorenzo Hernández García-Hierro
2005-02-07 19:12 ` Chris Wright
2005-02-07 19:40 ` Lorenzo Hernández García-Hierro
2005-02-07 20:00 ` Chris Wright
2005-02-07 19:43 ` John Richard Moser [this message]
2005-02-07 20:05 ` Chris Wright
2005-02-07 22:29 ` John Richard Moser
2005-02-07 22:47 ` Chris Wright
2005-02-08 2:10 ` John Richard Moser
2005-02-07 19:14 ` Valdis.Kletnieks
2005-02-07 19:34 ` Lorenzo Hernández García-Hierro
2005-02-07 21:45 ` Valdis.Kletnieks
2005-02-07 22:00 ` Lorenzo Hernández García-Hierro
2005-02-07 22:13 ` Valdis.Kletnieks
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4207C4C7.8080704@comcast.net \
--to=nigelenki@comcast.net \
--cc=chrisw@osdl.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lorenzo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox