| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20100601150049.GQ4098@outflux.net> Date: Tue, 1 Jun 2010 08:00:49 -0700 From: Kees Cook <kees.cook@...onical.com> To: Christoph Hellwig <hch@...radead.org> Cc: James Morris <jmorris@...ei.org>, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, linux-fsdevel@...r.kernel.org, linux-doc@...r.kernel.org, Randy Dunlap <rdunlap@...otime.net>, Andrew Morton <akpm@...ux-foundation.org>, Jiri Kosina <jkosina@...e.cz>, Dave Young <hidave.darkstar@...il.com>, Martin Schwidefsky <schwidefsky@...ibm.com>, Eric Paris <eparis@...hat.com>, David Howells <dhowells@...hat.com>, Ingo Molnar <mingo@...e.hu>, Peter Zijlstra <a.p.zijlstra@...llo.nl>, "Eric W. Biederman" <ebiederm@...ssion.com>, Tim Gardner <tim.gardner@...onical.com>, "Serge E. Hallyn" <serue@...ibm.com> Subject: Re: [PATCH v2] fs: block cross-uid sticky symlinks On Tue, Jun 01, 2010 at 03:55:29AM -0400, Christoph Hellwig wrote: > On Mon, May 31, 2010 at 08:24:23PM -0700, Kees Cook wrote: > > Well, that's what I'm trying to understand. It sounds like there is some > > general agreement that the issue needs to be solved, but some folks do not > > want it in the core VFS. As in, the objections aren't with how symlink > > behavior is changed, just that the changes would be in the fs/ directory. > > No, it's not. It's not a change we can make for the default that > everyone uses. If you're keen to mess up installations you control (aka > ubuntu valuedadd viper) push it into a special LSM or rather a > non-standard rule for it. It really doesn't matter if it's in fs/ or > security/ but it's simplify not going to happen by default. Okay, thanks; that clarifies some of my confusion. It sounds like there are some people that genuinely believe that the symlink-following logic should not change. I would pose, then, a question of "what are legitimate and safe situations that require following cross-user symlinks in a sticky world-writable directory?" And if the answers to that aren't very convincing, then I think it's reasonable to include at least an option to change the behavior. > > My rationale is that if it's in commoncaps, it's effective for everyone, so > > it might as well be in core VFS. If the VFS objections really do boil down > > to "not in fs/" then I'm curious if doing this in commoncaps is acceptable. > > If you think the objection is about having things in fs/ you're smoking > some really bad stuff. Right, that was my point exactly. It didn't make sense to object to it being in fs/. The objection was to having it in the kernel at all. So now I can focus my efforts on convincing people about the value of making this a setting in the kernel, like turning on or off TCP syn-flood protection. Some people may demand it, some people may hate it, but the choice it up to the end user. -Kees -- Kees Cook Ubuntu Security Team -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists