[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAGRrVHytokoWWok8uz3vVHuEn3bOkedc5pS1Lk3k4UtUvwPZig@mail.gmail.com>
Date: Fri, 31 Jan 2020 12:55:16 -0700
From: Ross Zwisler <zwisler@...omium.org>
To: Matthew Wilcox <willy@...radead.org>
Cc: linux-kernel@...r.kernel.org,
Mattias Nissler <mnissler@...omium.org>,
Benjamin Gordon <bmgordon@...gle.com>,
Raul Rangel <rrangel@...gle.com>,
Micah Morton <mortonm@...gle.com>,
Dmitry Torokhov <dtor@...gle.com>, Jan Kara <jack@...e.cz>,
Alexander Viro <viro@...iv.linux.org.uk>,
linux-fsdevel@...r.kernel.org, Aleksa Sarai <cyphar@...har.com>,
David Howells <dhowells@...hat.com>
Subject: Re: [PATCH v4] Add a "nosymfollow" mount option.
On Thu, Jan 30, 2020 at 5:46 PM Matthew Wilcox <willy@...radead.org> wrote:
> On Thu, Jan 30, 2020 at 05:27:50PM -0700, Ross Zwisler wrote:
> > For mounts that have the new "nosymfollow" option, don't follow
> > symlinks when resolving paths. The new option is similar in spirit to
> > the existing "nodev", "noexec", and "nosuid" options. Various BSD
> > variants have been supporting the "nosymfollow" mount option for a
> > long time with equivalent implementations.
> >
> > Note that symlinks may still be created on file systems mounted with
> > the "nosymfollow" option present. readlink() remains functional, so
> > user space code that is aware of symlinks can still choose to follow
> > them explicitly.
> >
> > Setting the "nosymfollow" mount option helps prevent privileged
> > writers from modifying files unintentionally in case there is an
> > unexpected link along the accessed path. The "nosymfollow" option is
> > thus useful as a defensive measure for systems that need to deal with
> > untrusted file systems in privileged contexts.
>
> The openat2 series was just merged yesterday which includes a
> LOOKUP_NO_SYMLINKS option. Is this enough for your needs, or do you
> need the mount option?
>
> https://lore.kernel.org/linux-fsdevel/20200129142709.GX23230@ZenIV.linux.org.uk/
Thank you for the pointer. No, I don't think that this really meets
our needs because it requires code to be modified to use the new
openat2 system call. Our goal is to be able to place restrictions on
untrusted user supplied filesystems so that legacy programs will be
protected from malicious symlinks.
Powered by blists - more mailing lists