Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20120106015808.1655d1c9.akpm@linux-foundation.org>
Date: Fri, 6 Jan 2012 01:58:08 -0800
From: Andrew Morton <akpm@...ux-foundation.org>
To: Ingo Molnar <mingo@...e.hu>
Cc: Kees Cook <keescook@...omium.org>, linux-kernel@...r.kernel.org,
 Alexander Viro <viro@...iv.linux.org.uk>, Rik van Riel <riel@...hat.com>,
 Federica Teodori <federica.teodori@...glemail.com>, Lucian Adrian Grijincu
 <lucian.grijincu@...il.com>, Peter Zijlstra <a.p.zijlstra@...llo.nl>, Eric
 Paris <eparis@...hat.com>, Randy Dunlap <rdunlap@...otime.net>, Dan
 Rosenberg <drosenberg@...curity.com>, linux-doc@...r.kernel.org,
 linux-fsdevel@...r.kernel.org, kernel-hardening@...ts.openwall.com
Subject: Re: [PATCH v2012.1] fs: symlink restrictions on sticky directories

On Fri, 6 Jan 2012 10:43:40 +0100 Ingo Molnar <mingo@...e.hu> wrote:

> 
> * Andrew Morton <akpm@...ux-foundation.org> wrote:
> 
> > > +config PROTECTED_STICKY_SYMLINKS
> > > +	bool "Protect symlink following in sticky world-writable directories"
> > > +	default y
> > > +	help
> > > +	  A long-standing class of security issues is the symlink-based
> > > +	  time-of-check-time-of-use race, most commonly seen in
> > > +	  world-writable directories like /tmp. The common method of
> > > +	  exploitation of this flaw is to cross privilege boundaries
> > > +	  when following a given symlink (i.e. a root process follows
> > > +	  a malicious symlink belonging to another user).
> > > +
> > > +	  Enabling this solves the problem by permitting symlinks to be
> > > +	  followed only when outside a sticky world-writable directory,
> > > +	  or when the uid of the symlink and follower match, or when
> > > +	  the directory and symlink owners match.
> > 
> > This is all quite misleading.  One would expect that 
> > CONFIG_PROTECTED_STICKY_SYMLINKS turns the entire feature on 
> > or off permanently.  ie, it controls whether the code is 
> > generated into vmlinux in the usual fashion.  But it's not 
> > that at all - the user gets the feature whether or not he 
> > wants it, and this variable only sets the initial value.
> > 
> > Why are we forcing the user to have the feature if he doesn't 
> > want it, btw?
> 
> Basing on the (not yet fully confirmed) assertion that no apps 
> are broken by this change but exploits, I'd argue that this is 
> actually the sane and correct semantics for symlinks - i.e. we 
> want this to be the default Linux behavior - not just a 
> 'feature'.
> 
> That way the configuration knobs are compat settings in essence 
> - in case some app cares.
> 
> If people disagree and want it default off and as a separate 
> feature then it has to be modularized out some more. There's 
> notable silence from VFS folks on all this so Kees made an 
> educated guess. It might be wrong.

Maybe true for a general purpose computer, but someone who is making a
single-purpose device such as a digital TV or a wifi router won't want
it.

> > And we appear to be enabling the feature if CONFIG_PROC_FS=n, 
> > which might not be terribly useful?
> 
> It can still be useful if it's default on - just cannot be 
> turned off via /proc/sys/, right?
> 
> The combination that is not so useful is when it's off and 
> there's !PROC_FS. If it's a compat feature then i wouldnt bother 
> about it. If it's a separated out modular feature in a separate 
> .c file then it can all be properly shaped via Kconfig 
> dependencies.

Spose so.

I'd have thought the way to configure this feature would be to have
CONFIG_PROTECTED_STICKY_SYMLINKS to control the code generation then a
0 or 1 CONFIG_PROTECTED_STICKY_SYMLINKS_ENABLED to control the initial
setting.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.