Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 3 Jul 2018 23:02:33 +0200
From: Hanno Böck <hanno@...eck.de>
To: Jann Horn <jannh@...gle.com>
Cc: Al Viro <viro@...iv.linux.org.uk>,
  Kernel Hardening <kernel-hardening@...ts.openwall.com>
Subject: Re: Patch for SymlinksIfOwnerMatches

On Tue, 3 Jul 2018 21:47:34 +0200
Jann Horn <jannh@...gle.com> wrote:

> Hmm. Actually, I wonder whether the kernel is a good place to handle
> this at all.
> 
> As you note, Apache already has the option SymLinksIfOwnerMatch, which
> means that it already has to do a component-wise path walk in
> userspace (because AT_BENEATH hasn't landed yet). Here's what "strace"
> reports when Apache with that option is following a symlink:

Maybe for context: I haven't looked into the details of the technical
implementation and I'm not claiming this is a good solution (nor do I
claim to have good knowledge of these things at all). But when I looked
into this a while ago it was the only solution that was available.

Right now the apache option has 2 problems:
* There are many web apps that will enable "FollowSymlinks". If you
  start forbidding that you'll break them. There's currently no way to
  configure apache in a way that both enforces symlink owner match and
  doesn't break half of the PHP ecosystem. It would need an option like
  "treat FollowSymlinks like FollowSymlinksIfOwnerMatch"
* The option has a documented race condition. (Apache has this habit of
  documenting security bugs and thinking this makes them go away...) I
  have heard people saying that this is unfixable in userspace, but
  well, if you say it's possible I'm not going to argue with it.

Point is: I merely wanted to keep the grsecurity option working, so I
ripped it out of grsec into a separate patch. If there's a better way
I'm all for it.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.