lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAHk-=wiaoij30cnx=jfvg=Br3YTxhQjp4VWRc6=xYE2=+EVRPg@mail.gmail.com>
Date: Wed, 10 Apr 2024 19:39:49 -0700
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Alexander Viro <viro@...iv.linux.org.uk>, Christian Brauner <brauner@...nel.org>, Jan Kara <jack@...e.cz>
Cc: linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, 
	Andrew Lutomirski <luto@...nel.org>, Peter Anvin <hpa@...or.com>
Subject: Re: [PATCH] vfs: relax linkat() AT_EMPTY_PATH - aka flink() - requirements

On Wed, 10 Apr 2024 at 17:10, Linus Torvalds
<torvalds@...ux-foundation.org> wrote:
>
> +               if (flags & LOOKUP_DFD_MATCH_CREDS) {
> +                       if (f.file->f_cred != current_cred() &&
> +                           !capable(CAP_DAC_READ_SEARCH)) {
> +                               fdput(f);
> +                               return ERR_PTR(-ENOENT);
> +                       }
> +               }

Side note: I suspect that this could possibly be relaxed further, by
making the rule be that if something has been explicitly opened to be
used as a path (ie O_PATH was used at open time), we can link to it
even across different credentials.

IOW, the above could perhaps even be

+               if (flags & LOOKUP_DFD_MATCH_CREDS) {
+                       if (!(f.file->f_mode & FMODE_PATH) &&
+                           f.file->f_cred != current_cred() &&
+                           !capable(CAP_DAC_READ_SEARCH)) {
+                               fdput(f);
+                               return ERR_PTR(-ENOENT);
+                       }
+               }

which would _allow_ people to pass in paths as file descriptors if
they actually wanted to.

After all, the only thing you can do with an O_PATH file descriptor is
to use it as a path - there would be no other reason to use O_PATH in
the first place. So if you now pass it to somebody else, clearly you
are intentionally trying to make it available *as* a path.

So you could imagine doing something like this:

         // Open path as root
         int fd = open('filename", O_PATH);

        // drop privileges
        // setresuid(..) or chmod() or enter new namespace or whatever

        linkat(fd, "", AT_FDCWD, "newname", AT_EMPTY_PATH);

and it would open the path with one set of privileges, but then
intentionally go into a more restricted mode and create a link to the
source within that restricted environment.

Sensible? Who knows. I'm just throwing this out as another "this may
be the solution to our historical flink() issues".

           Linus

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ