Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 3 Jul 2018 20:19:31 +0200
From: Hanno Böck <>
Subject: Patch for SymlinksIfOwnerMatches


There's a nasty problem in many webserver configurations on multiuser
systems, I've blogged about it a while ago [1]. With a symlink it's
often possible to read out configuration files of other users. This was
famously used in the freedom hosting II hack [2].

grsecurity had a workaround for this: By not allowing file operations
to follow symlinks if the owner of the link and the target don't match
it can block this kind of attack.

I saw a need to keep this feature alive in a post-grsecurity world, so
a while ago I extracted it from the grsecurity patch. I've now made
that public:

I'm not sure about upstreaming, I think it's a worthy feature, but it
might need some work in polishing it. But for now I'll just share it
and I will hopefully be able to keep the patch working for future


Hanno Böck

GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.