lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240411-alben-kocht-219170e9dc99@brauner>
Date: Thu, 11 Apr 2024 11:04:59 +0200
From: Christian Brauner <brauner@...nel.org>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Alexander Viro <viro@...iv.linux.org.uk>, Jan Kara <jack@...e.cz>, 
	linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, 
	Andrew Lutomirski <luto@...nel.org>, Peter Anvin <hpa@...or.com>
Subject: Re: [PATCH] vfs: relax linkat() AT_EMPTY_PATH - aka flink() -
 requirements

On Wed, Apr 10, 2024 at 07:39:49PM -0700, Linus Torvalds wrote:
> On Wed, 10 Apr 2024 at 17:10, Linus Torvalds
> <torvalds@...ux-foundation.org> wrote:
> >
> > +               if (flags & LOOKUP_DFD_MATCH_CREDS) {
> > +                       if (f.file->f_cred != current_cred() &&
> > +                           !capable(CAP_DAC_READ_SEARCH)) {
> > +                               fdput(f);
> > +                               return ERR_PTR(-ENOENT);
> > +                       }
> > +               }
> 
> Side note: I suspect that this could possibly be relaxed further, by
> making the rule be that if something has been explicitly opened to be
> used as a path (ie O_PATH was used at open time), we can link to it
> even across different credentials.

I had a similar discussion a while back someone requested that we relax
permissions so linkat can be used in containers. And I drafted the
following patch back then:

https://lore.kernel.org/all/20231113-undenkbar-gediegen-efde5f1c34bc@brauner

IOW, I had intended to make this work with containers so that we check
CAP_DAC_READ_SEARCH in the namespace of the opener of the file. My
thinking had been that this can serve as a way to say "Hey, I could've
opened this file in the openers namespace therefore let me make a path
to it.". I didn't actually send it because I thought the original author
would but imho, that would be a worthwhile addition to your patch if
this makes sense...

> 
> IOW, the above could perhaps even be
> 
> +               if (flags & LOOKUP_DFD_MATCH_CREDS) {
> +                       if (!(f.file->f_mode & FMODE_PATH) &&
> +                           f.file->f_cred != current_cred() &&
> +                           !capable(CAP_DAC_READ_SEARCH)) {
> +                               fdput(f);
> +                               return ERR_PTR(-ENOENT);
> +                       }
> +               }
> 
> which would _allow_ people to pass in paths as file descriptors if
> they actually wanted to.
> 
> After all, the only thing you can do with an O_PATH file descriptor is
> to use it as a path - there would be no other reason to use O_PATH in
> the first place. So if you now pass it to somebody else, clearly you
> are intentionally trying to make it available *as* a path.
> 
> So you could imagine doing something like this:
> 
>          // Open path as root
>          int fd = open('filename", O_PATH);
> 
>         // drop privileges
>         // setresuid(..) or chmod() or enter new namespace or whatever
> 
>         linkat(fd, "", AT_FDCWD, "newname", AT_EMPTY_PATH);
> 
> and it would open the path with one set of privileges, but then
> intentionally go into a more restricted mode and create a link to the
> source within that restricted environment.
> 
> Sensible? Who knows. I'm just throwing this out as another "this may
> be the solution to our historical flink() issues".
> 
>            Linus

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ