[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20120106015808.1655d1c9.akpm@linux-foundation.org>
Date: Fri, 6 Jan 2012 01:58:08 -0800
From: Andrew Morton <akpm@...ux-foundation.org>
To: Ingo Molnar <mingo@...e.hu>
Cc: Kees Cook <keescook@...omium.org>, linux-kernel@...r.kernel.org,
Alexander Viro <viro@...iv.linux.org.uk>,
Rik van Riel <riel@...hat.com>,
Federica Teodori <federica.teodori@...glemail.com>,
Lucian Adrian Grijincu <lucian.grijincu@...il.com>,
Peter Zijlstra <a.p.zijlstra@...llo.nl>,
Eric Paris <eparis@...hat.com>,
Randy Dunlap <rdunlap@...otime.net>,
Dan Rosenberg <drosenberg@...curity.com>,
linux-doc@...r.kernel.org, linux-fsdevel@...r.kernel.org,
kernel-hardening@...ts.openwall.com
Subject: Re: [PATCH v2012.1] fs: symlink restrictions on sticky directories
On Fri, 6 Jan 2012 10:43:40 +0100 Ingo Molnar <mingo@...e.hu> wrote:
>
> * Andrew Morton <akpm@...ux-foundation.org> wrote:
>
> > > +config PROTECTED_STICKY_SYMLINKS
> > > + bool "Protect symlink following in sticky world-writable directories"
> > > + default y
> > > + help
> > > + A long-standing class of security issues is the symlink-based
> > > + time-of-check-time-of-use race, most commonly seen in
> > > + world-writable directories like /tmp. The common method of
> > > + exploitation of this flaw is to cross privilege boundaries
> > > + when following a given symlink (i.e. a root process follows
> > > + a malicious symlink belonging to another user).
> > > +
> > > + Enabling this solves the problem by permitting symlinks to be
> > > + followed only when outside a sticky world-writable directory,
> > > + or when the uid of the symlink and follower match, or when
> > > + the directory and symlink owners match.
> >
> > This is all quite misleading. One would expect that
> > CONFIG_PROTECTED_STICKY_SYMLINKS turns the entire feature on
> > or off permanently. ie, it controls whether the code is
> > generated into vmlinux in the usual fashion. But it's not
> > that at all - the user gets the feature whether or not he
> > wants it, and this variable only sets the initial value.
> >
> > Why are we forcing the user to have the feature if he doesn't
> > want it, btw?
>
> Basing on the (not yet fully confirmed) assertion that no apps
> are broken by this change but exploits, I'd argue that this is
> actually the sane and correct semantics for symlinks - i.e. we
> want this to be the default Linux behavior - not just a
> 'feature'.
>
> That way the configuration knobs are compat settings in essence
> - in case some app cares.
>
> If people disagree and want it default off and as a separate
> feature then it has to be modularized out some more. There's
> notable silence from VFS folks on all this so Kees made an
> educated guess. It might be wrong.
Maybe true for a general purpose computer, but someone who is making a
single-purpose device such as a digital TV or a wifi router won't want
it.
> > And we appear to be enabling the feature if CONFIG_PROC_FS=n,
> > which might not be terribly useful?
>
> It can still be useful if it's default on - just cannot be
> turned off via /proc/sys/, right?
>
> The combination that is not so useful is when it's off and
> there's !PROC_FS. If it's a compat feature then i wouldnt bother
> about it. If it's a separated out modular feature in a separate
> .c file then it can all be properly shaped via Kconfig
> dependencies.
Spose so.
I'd have thought the way to configure this feature would be to have
CONFIG_PROTECTED_STICKY_SYMLINKS to control the code generation then a
0 or 1 CONFIG_PROTECTED_STICKY_SYMLINKS_ENABLED to control the initial
setting.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists