lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20171005161619.GA16482@fieldses.org>
Date:   Thu, 5 Oct 2017 12:16:19 -0400
From:   bfields@...ldses.org (J. Bruce Fields)
To:     Theodore Ts'o <tytso@....edu>, Adam Borowski <kilobyte@...band.pl>,
        Al Viro <viro@...IV.linux.org.uk>,
        linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] vfs: hard-ban creating files with control characters in
 the name

On Tue, Oct 03, 2017 at 02:58:52PM -0400, Theodore Ts'o wrote:
> The argument for making it be configurable is that if it does break
> things in way we can't foresee, it's a lot easier to back it out.  And
> like what we've done with relatime, if the distro's all run with it as
> the default for a couple of years, it then becomes easier to make the
> case for making it be the default.

I find it hard to believe that any general-purpose distro could turn
on something like this without breaking a gazillion things for users.

> > Discussing a configurable policy (perhaps here in vfs, perhaps as a LSM, a
> > seccomp hack or even LD_PRELOAD) would be interesting, but for the above
> > reason I'd want \n hard-banned.
> 
> Perhaps doing this as an LSM makes the most amount of sense.  That
> makes it be configurable/optional, and I think the security folks will
> be much more willing to accept the functionality, if we decide we
> don't want to make it a core VFS restriction.

Making this something you can turn on and off seems likely to create all
sorts of surprises for users when filenames written under one kernel
can't be read under another.

This kind of restriction sounds more like a permanent feature of the
filesystem--something you'd set at mkfs time.

We already have filesystems with these kinds of restrictions, don't we?

It'd seem trivial to add a "disallow weird characters on this
superblock" flag to ext4.

--b.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ