From: daw@cs.berkeley.edu (David Wagner)
To: linux-kernel@vger.kernel.org
Subject: Re: symlinks with permissions (fwd)
Date: Thu, 29 Oct 2009 08:05:39 +0000 (UTC) [thread overview]
Message-ID: <hcbicj$qm4$2@taverner.cs.berkeley.edu> (raw)
In-Reply-To: 4AE922F9.5020506@schaufler-ca.com
Casey Schaufler wrote:
>Gawd, I hate to say this, but people have been improperly educated
>if they expect directory permissions to behave thusly. You can not
>count on the permissions on a directory to protect access on a file
>that the directory contains a reference to. Hard links. Mount points.
1) Pavel's script takes care of hard links. I'm not familiar with
the mount points issue. I don't see how passing file descriptors over
sockets or fork() is relevant.
Pavel shows how a process can create its own directory, create a file
in that directory, and set up file permissions in such a way that it can
have a reasonable expectation that others will not be able to gain write
access to that file. As far as I can tell, that expectation was met,
up until the /proc mechanism under question was introduced. But the
/proc mechanism violates this expectation. Yes, Pavel's method does
protect against hard links.
2) If you think folks have been improperly educated, can you point to
the Linux documentation that says not to rely upon directory permissions
for security purposes?
There's plenty of stuff that relies upon directory permissions for
security, and it's important that they be able to do so.
Do you mean to suggest that having root do a massive "chmod a+rx" on
every directory on the filesystem can never introduce security holes?
That sounds to me like it would be an absurd statement, yet it seems to
follow logically from your claim about directory permissions. If one's
premises lead to absurd conclusions, perhaps the flaw is in the premises.
next prev parent reply other threads:[~2009-10-29 8:05 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-28 21:10 symlinks with permissions (fwd) Pavel Machek
2009-10-29 5:07 ` Casey Schaufler
2009-10-29 8:05 ` David Wagner [this message]
2009-10-29 20:35 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='hcbicj$qm4$2@taverner.cs.berkeley.edu' \
--to=daw@cs.berkeley.edu \
--cc=daw-news@cs.berkeley.edu \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox