[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20100531220000.GI4098@outflux.net>
Date: Mon, 31 May 2010 15:00:00 -0700
From: Kees Cook <kees.cook@...onical.com>
To: Al Viro <viro@...IV.linux.org.uk>
Cc: Alan Cox <alan@...rguk.ukuu.org.uk>, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-fsdevel@...r.kernel.org, linux-doc@...r.kernel.org,
Randy Dunlap <rdunlap@...otime.net>,
Andrew Morton <akpm@...ux-foundation.org>,
Jiri Kosina <jkosina@...e.cz>,
Dave Young <hidave.darkstar@...il.com>,
Martin Schwidefsky <schwidefsky@...ibm.com>,
James Morris <jmorris@...ei.org>,
Eric Paris <eparis@...hat.com>,
David Howells <dhowells@...hat.com>,
Ingo Molnar <mingo@...e.hu>,
Peter Zijlstra <a.p.zijlstra@...llo.nl>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Tim Gardner <tim.gardner@...onical.com>,
"Serge E. Hallyn" <serue@...ibm.com>
Subject: Re: [PATCH v2] fs: block cross-uid sticky symlinks
Hi Al,
On Mon, May 31, 2010 at 08:52:30PM +0100, Al Viro wrote:
> On Mon, May 31, 2010 at 12:07:54PM -0700, Kees Cook wrote:
> > IIRC, screen, when setuid, allows users to share screen sessions (following
> > some system-defined ACLs) but it does it via the /tmp directory trees it
> > creates. Per-user /tmp would break this (but yes, it's solvable using some
> > kind of /var/lib/screen which maybe even already exists).
>
> screen(1) does *not* put directories in /tmp these days, TYVM.
>
> al@...e:~/linux/trees/vfs-next$ ls -l /var/run/screen/
> total 1
> drwx------ 2 al al 1024 May 20 21:50 S-al
Okay, good; that's a relief.
> In any case, the suggested "improvement" breaks realistic use cases, AFAICS.
> In particular,
>
> cd /tmp
> tar jxf foo-2.42.orig.tar.bz2
> <...>
> tar jxf foo-gtk-wank-wank-wank-2.69.orig.tar.bz2
> <...>
> ln -s foo-gtk-wank-wank-wank-2.69/docs/GNOME/design/ crap
> <...>
> lpr crap/taste-is-optional.ps
> lpr crap/why-options-are-wrong.ps
>
> is going to break with that, isn't it?
Nope. To be fair, it depends on the implementation of of LPR. In the
case of CUPS, this is fine since lpr will run as the local user, follow
the symlink and read the file contents before POSTing the contents to
the CUPS server. The privilege boundary is crossed at the network,
not the filesystem in this case.
I would note however that without the symlink following patch a hypothetical
attacker would be able to race you for the "foo-gtk-wank-wank-wank-2.69"
entry, or the "crap" entry, since either could be directed out from under
"tar" and "ln" to symlinks controlled by the attacker. Unpacking archives
in a sticky world-writable directory is dangerous without this symlink
following patch.
-Kees
--
Kees Cook
Ubuntu Security Team
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists