| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 31 May 2010 15:00:00 -0700 From: Kees Cook <kees.cook@...onical.com> To: Al Viro <viro@...IV.linux.org.uk> Cc: Alan Cox <alan@...rguk.ukuu.org.uk>, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, linux-fsdevel@...r.kernel.org, linux-doc@...r.kernel.org, Randy Dunlap <rdunlap@...otime.net>, Andrew Morton <akpm@...ux-foundation.org>, Jiri Kosina <jkosina@...e.cz>, Dave Young <hidave.darkstar@...il.com>, Martin Schwidefsky <schwidefsky@...ibm.com>, James Morris <jmorris@...ei.org>, Eric Paris <eparis@...hat.com>, David Howells <dhowells@...hat.com>, Ingo Molnar <mingo@...e.hu>, Peter Zijlstra <a.p.zijlstra@...llo.nl>, "Eric W. Biederman" <ebiederm@...ssion.com>, Tim Gardner <tim.gardner@...onical.com>, "Serge E. Hallyn" <serue@...ibm.com> Subject: Re: [PATCH v2] fs: block cross-uid sticky symlinks Hi Al, On Mon, May 31, 2010 at 08:52:30PM +0100, Al Viro wrote: > On Mon, May 31, 2010 at 12:07:54PM -0700, Kees Cook wrote: > > IIRC, screen, when setuid, allows users to share screen sessions (following > > some system-defined ACLs) but it does it via the /tmp directory trees it > > creates. Per-user /tmp would break this (but yes, it's solvable using some > > kind of /var/lib/screen which maybe even already exists). > > screen(1) does *not* put directories in /tmp these days, TYVM. > > al@...e:~/linux/trees/vfs-next$ ls -l /var/run/screen/ > total 1 > drwx------ 2 al al 1024 May 20 21:50 S-al Okay, good; that's a relief. > In any case, the suggested "improvement" breaks realistic use cases, AFAICS. > In particular, > > cd /tmp > tar jxf foo-2.42.orig.tar.bz2 > <...> > tar jxf foo-gtk-wank-wank-wank-2.69.orig.tar.bz2 > <...> > ln -s foo-gtk-wank-wank-wank-2.69/docs/GNOME/design/ crap > <...> > lpr crap/taste-is-optional.ps > lpr crap/why-options-are-wrong.ps > > is going to break with that, isn't it? Nope. To be fair, it depends on the implementation of of LPR. In the case of CUPS, this is fine since lpr will run as the local user, follow the symlink and read the file contents before POSTing the contents to the CUPS server. The privilege boundary is crossed at the network, not the filesystem in this case. I would note however that without the symlink following patch a hypothetical attacker would be able to race you for the "foo-gtk-wank-wank-wank-2.69" entry, or the "crap" entry, since either could be directed out from under "tar" and "ln" to symlinks controlled by the attacker. Unpacking archives in a sticky world-writable directory is dangerous without this symlink following patch. -Kees -- Kees Cook Ubuntu Security Team -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists