lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <1476887746.926524.760895721.565B8D5E@webmail.messagingengine.com>
Date:   Wed, 19 Oct 2016 10:35:46 -0400
From:   Colin Walters <walters@...bum.org>
To:     Mattias Nissler <mnissler@...omium.org>
Cc:     Al Viro <viro@...iv.linux.org.uk>, linux-fsdevel@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [RFC] [PATCH] Add a "nolinks" mount option.

On Wed, Oct 19, 2016, at 07:28 AM, Mattias Nissler wrote:
> 
> Note that O_NOFOLLOW only affects the final path component. If there's
> a symlink in any of the parent directories, that'll still be traversed
> even with O_NOFOLLOW. This situation is less risky as an attacker will
> have to deal with the restriction of a fixed filename in the last
> component, but might still be exploitable.

Yeah, I meant that you'd walk the path string in userspace one by
one. That said the "fstat at the end and check device" seems a
lot better, or perhaps the mount namespaces could help.

Also, don't forget about `setfsuid()`.

> The difficulty lies in applying these measures of precaution
> system-wide. This affects most init scripts and daemons, and
> everything else that keeps state on the writable file system. 

One thing to note is that at least in the freedesktop.org/GNOME etc.
side of things, we basically never have privileged processes
accessing user home directories anymore.

A good example is that GDM used to read ~username/.config/face.png
or something like that to show the user's picture on the login screen, and that was
subject to many of the same risks.

But we've basically across the board migrated to a model where
the unprivileged user session talks to privileged daemons via
a DBus (or other) API.  In this case, the picture data is stored
in accountsservice.  NetworkManager is another big
example of this, where e.g. WiFi credentials can be per user, and
the session passes them to the privileged daemon over DBus,
rather than having the privileged process try to parse config files
in the user's homedir.   It's a lot easier to secure.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ