Date: Fri, 6 Jan 2012 10:34:24 -0800 From: Kees Cook <keescook@...omium.org> To: Andrew Morton <akpm@...ux-foundation.org> Cc: Ingo Molnar <mingo@...e.hu>, linux-kernel@...r.kernel.org, Alexander Viro <viro@...iv.linux.org.uk>, Rik van Riel <riel@...hat.com>, Federica Teodori <federica.teodori@...glemail.com>, Lucian Adrian Grijincu <lucian.grijincu@...il.com>, Peter Zijlstra <a.p.zijlstra@...llo.nl>, Eric Paris <eparis@...hat.com>, Randy Dunlap <rdunlap@...otime.net>, Dan Rosenberg <drosenberg@...curity.com>, linux-doc@...r.kernel.org, linux-fsdevel@...r.kernel.org, kernel-hardening@...ts.openwall.com Subject: Re: [PATCH v2012.1] fs: symlink restrictions on sticky directories On Fri, Jan 6, 2012 at 1:58 AM, Andrew Morton <akpm@...ux-foundation.org> wrote: > On Fri, 6 Jan 2012 10:43:40 +0100 Ingo Molnar <mingo@...e.hu> wrote: >> * Andrew Morton <akpm@...ux-foundation.org> wrote: >> > > +config PROTECTED_STICKY_SYMLINKS >> > > + bool "Protect symlink following in sticky world-writable directories" >> > > + default y >> > > + help >> > > + A long-standing class of security issues is the symlink-based >> > > + time-of-check-time-of-use race, most commonly seen in >> > > + world-writable directories like /tmp. The common method of >> > > + exploitation of this flaw is to cross privilege boundaries >> > > + when following a given symlink (i.e. a root process follows >> > > + a malicious symlink belonging to another user). >> > > + >> > > + Enabling this solves the problem by permitting symlinks to be >> > > + followed only when outside a sticky world-writable directory, >> > > + or when the uid of the symlink and follower match, or when >> > > + the directory and symlink owners match. >> > >> > This is all quite misleading. One would expect that >> > CONFIG_PROTECTED_STICKY_SYMLINKS turns the entire feature on >> > or off permanently. ie, it controls whether the code is >> > generated into vmlinux in the usual fashion. But it's not >> > that at all - the user gets the feature whether or not he >> > wants it, and this variable only sets the initial value. >> > >> > Why are we forcing the user to have the feature if he doesn't >> > want it, btw? >> >> Basing on the (not yet fully confirmed) assertion that no apps >> are broken by this change but exploits, I'd argue that this is >> actually the sane and correct semantics for symlinks - i.e. we >> want this to be the default Linux behavior - not just a >> 'feature'. >> >> That way the configuration knobs are compat settings in essence >> - in case some app cares. >> >> If people disagree and want it default off and as a separate >> feature then it has to be modularized out some more. There's >> notable silence from VFS folks on all this so Kees made an >> educated guess. It might be wrong. > > Maybe true for a general purpose computer, but someone who is making a > single-purpose device such as a digital TV or a wifi router won't want > it. > [...] > I'd have thought the way to configure this feature would be to have > CONFIG_PROTECTED_STICKY_SYMLINKS to control the code generation then a > 0 or 1 CONFIG_PROTECTED_STICKY_SYMLINKS_ENABLED to control the initial > setting. This seems like probably the best approach, though I dislike the silliness required in Kconfig to get a boolean into 1/0 form instead of set/unset in way that doesn't require the user to type "1" or "0". I'm happy to do it, though. -Kees -- Kees Cook ChromeOS Security
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.