lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 23 Nov 2009 12:41:24 -0500
From:	Jeff Layton <jlayton@...hat.com>
To:	linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Cc:	ebiederm@...ssion.com, pavel@....cz, miklos@...redi.hu,
	viro@...IV.linux.org.uk
Subject: [PATCH 3/3] vfs: check path permissions on target of LAST_BIND symlinks

Because LAST_BIND symlinks aren't subject to the normal path walking
routines, they sidestep all of the permission checking that occurs while
resolving a path. Fix this by adding a routine to walk back up the
directory tree and check MAY_EXEC permission on the entire path back up to
the root.

Signed-off-by: Jeff Layton <jlayton@...hat.com>
---
 fs/namei.c |   57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 files changed, 56 insertions(+), 1 deletions(-)

diff --git a/fs/namei.c b/fs/namei.c
index 738b257..d4c1279 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -504,6 +504,57 @@ ok:
 }
 
 /*
+ * We have a cached struct path from a LAST_BIND symlink. The path is valid
+ * but it's possible that one of the components leading to this point
+ * might not be accessible. This check walks back up the tree to the root
+ * of the namespace and checks whether each component is accessible. The
+ * supplied path is put on error.
+ */
+static int
+check_path_accessible(struct path *path)
+{
+	int err;
+	struct dentry *parent, *tdentry = dget(path->dentry);
+	struct vfsmount *vfsmnt = mntget(path->mnt);
+	struct path root = current->fs->root;
+
+	path_get(&root);
+	for(;;) {
+		parent = dget_parent(tdentry);
+		err = inode_permission(parent->d_inode, MAY_EXEC);
+		if (err < 0) {
+			dput(parent);
+			break;
+		}
+		dput(tdentry);
+		tdentry = parent;
+
+		/* keep going if not to root of mnt */
+		if (!IS_ROOT(tdentry))
+			continue;
+
+		/* are we at global root or root of namespace? */
+		if ((tdentry == root.dentry && vfsmnt == root.mnt) ||
+		    vfsmnt->mnt_parent == vfsmnt)
+			break;
+
+		/* cross to parent mount and keep walking */
+		mntput(vfsmnt);
+		vfsmnt = mntget(vfsmnt->mnt_parent);
+		tdentry = dget(vfsmnt->mnt_mountpoint);
+		dput(parent);
+	}
+	dput(tdentry);
+	mntput(vfsmnt);
+	path_put(&root);
+
+	if (err)
+		path_put(path);
+
+	return err;
+}
+
+/*
  * This is called when everything else fails, and we actually have
  * to go to the low-level filesystem to find out what we should do..
  *
@@ -679,8 +730,12 @@ static __always_inline int __do_follow_link(struct path *path, struct nameidata
 		error = 0;
 		if (s)
 			error = __vfs_follow_link(nd, s);
-		else if (nd->last_type == LAST_BIND)
+		else if (nd->last_type == LAST_BIND) {
 			error = force_reval_path(&nd->path, nd);
+			if (!error)
+				error = check_path_accessible(&nd->path);
+		}
+
 		if (dentry->d_inode->i_op->put_link)
 			dentry->d_inode->i_op->put_link(dentry, nd, cookie);
 	}
-- 
1.5.5.6

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ