Date: Tue, 3 Jul 2018 23:02:33 +0200 From: Hanno Böck <hanno@...eck.de> To: Jann Horn <jannh@...gle.com> Cc: Al Viro <viro@...iv.linux.org.uk>, Kernel Hardening <kernel-hardening@...ts.openwall.com> Subject: Re: Patch for SymlinksIfOwnerMatches On Tue, 3 Jul 2018 21:47:34 +0200 Jann Horn <jannh@...gle.com> wrote: > Hmm. Actually, I wonder whether the kernel is a good place to handle > this at all. > > As you note, Apache already has the option SymLinksIfOwnerMatch, which > means that it already has to do a component-wise path walk in > userspace (because AT_BENEATH hasn't landed yet). Here's what "strace" > reports when Apache with that option is following a symlink: Maybe for context: I haven't looked into the details of the technical implementation and I'm not claiming this is a good solution (nor do I claim to have good knowledge of these things at all). But when I looked into this a while ago it was the only solution that was available. Right now the apache option has 2 problems: * There are many web apps that will enable "FollowSymlinks". If you start forbidding that you'll break them. There's currently no way to configure apache in a way that both enforces symlink owner match and doesn't break half of the PHP ecosystem. It would need an option like "treat FollowSymlinks like FollowSymlinksIfOwnerMatch" * The option has a documented race condition. (Apache has this habit of documenting security bugs and thinking this makes them go away...) I have heard people saying that this is unfixable in userspace, but well, if you say it's possible I'm not going to argue with it. Point is: I merely wanted to keep the grsecurity option working, so I ripped it out of grsec into a separate patch. If there's a better way I'm all for it. -- Hanno Böck https://hboeck.de/ mail/jabber: hanno@...eck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.