Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 7 Feb 2015 07:26:03 -0500
From: Rich Felker <>
Subject: Re: realpath() and setfsuid programs

On Sat, Feb 07, 2015 at 09:53:54AM +0200, Timo Teras wrote:
> Hi,
> It seems realpath() does not work in binaries using setfsuid(). (At
> least on grsec kernels, vanilla kernel might be affected too.)
> The problem is that realpath() opens the file, and then
> uses just readlink on /proc/self/fd/<fd> to read the canonicalized
> path.
> However, /proc/self/fd is not accessible if setfsuid() has been used to
> drop privileges.
> The problem I'm looking at in this case is fuse. fusermount, the
> suid wrapper to do user fuse mounts, seems to basically do:
>  oldfsuid = setfsuid(getuid())
>  oldfsgid = setfsgid(getgid())
>  take realpath of mountpoint
>  chdir("/")
>  setfsuid(oldfsuid)
>  setfsgid(oldfsgid)
> I believe they want to drop privileges so it works as also access check
> to the mount point directory. As realpath() in practice checks that the
> user has access to the entry too.

Could you clarify what you think the security intent of this code is?
As far as I can tell it's nonsense. realpath is not usable for much of
anything security-related; in particular, it's non-atomic and subject
to all sorts of trickery involving renaming/moving directories during
its operation, even moreso when it's done component-by-component in

Why is the check not simply an ownership check for the mount point? I
suspect it has to do with the need to pass a pathname rather than fd
to mount, which is subject to renaming/moving races, but the realpath
call would be subject to the same and worse. Presumably the correct
way to do this is to open a fd to the mountpoint then pass
/proc/self/fd/%d to the mount function after checking ownership.

> This works glibc, as realpath() canonicalizes the path
> component-by-component in userland. But musl breaks due to the /proc
> not being accessible while privileges dropped.
> Any suggestions?

I think first we should figure out if the code even makes sense. I
suspect it's a bug.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.