| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 19 Apr 2011 07:13:33 +0000 From: halfdog <me@...fdog.net> To: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org> Subject: Opinions on open/exec syscalls and security -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello List, Quite a few programs, that have to traverse directory trees recursively, do not treat symlinks correctly, e.g. most backup applications I tested allowed inclusion of arbitrary files. Although this could just be seen as a problem of application security, I think that the suboptimal kernel interface to filesystem makes it hard to code correctly, hence increasing the number of vulnerable programs of some type (e.g. backup programs). The problem is, that is hard to open a file in a user-controlled directory, e.g. for backup, and apply some policy to that, e.g. that no component in the path is a symlink. Otherwise, the sequence readdir /home/user/somedir/ open /home/user/somedir/shadow in a backup program might cause inclusion of real password, if somedir was moved and relinked to /etc in between the two calls, a race that is very easy to win. If the backup program would do only openat/stat pairs for every component in the path, the program then might run out of filedescriptors easily (DOS). - From my opinion, the system api, that makes it too hard to check, if problematic symlinks (or user space filesystem mounts) are included in a path. To provide really time-race free api, an open-and-check operation could be useful. An implementation of a "secure" file open library call, e.g. in libc, would also be an option, but it might be rather hard to provide the same level of security, because the library routine has no atomic syscall to rely on, and hence implementation might be racy, altough the window of opportunity might be very small. Without this system support, it is quite tricky to write 100% correct code and one might introduce other flaws, e.g. DOS via reaching max. open file descriptors. Could a new syscall or modified syscall options make it easier for developers, so that they to not have to keep numerous fds open and apply all the policy checks in user space, e.g. using inode numbers, dev references? See http://www.halfdog.net/Security/2010/FilesystemRecursionAndSymlinks/ for a short writeup on that topic (still work in progress). - -- http://www.halfdog.net/ PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFNrTVdxFmThv7tq+4RAprNAJ9nTTy2s2zjS4zy6wUk7SZPkN10nwCgh061 mNiOTFp9x0mhvkA418AHDgo= =6LcN -----END PGP SIGNATURE----- -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists