[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20150207160457.GY23507@brightrain.aerifal.cx>
Date: Sat, 7 Feb 2015 11:04:57 -0500
From: Rich Felker <dalias@...c.org>
To: musl@...ts.openwall.com
Subject: Re: realpath() and setfsuid programs
On Sat, Feb 07, 2015 at 04:28:29PM +0200, Timo Teras wrote:
> > > Why is the check not simply an ownership check for the mount point?
> > > I suspect it has to do with the need to pass a pathname rather than
> > > fd to mount, which is subject to renaming/moving races, but the
> > > realpath call would be subject to the same and worse. Presumably
> > > the correct way to do this is to open a fd to the mountpoint then
> > > pass /proc/self/fd/%d to the mount function after checking
> > > ownership.
> >
> > Or of course just using chdir and checking ownership of ".".
>
> Agreed. In this case fuse seems to be the place needing fix. Dropping
> privileges just for realpath() does not sound like the right approach.
>
> Though, I'm wondering if the issue showing up in other places -- that
> is realpath() failing if fs uid is set to something that cannot
> read /proc/self/fd/...
realpath can fail for various reasons, like lacking permissions to a
path component, fd exhaustion or other resource issues, etc. so I
don't think it's a big deal for it to fail when /proc/self/fd/%d is
not accessible. It's not a robust operation to begin with.
Rich
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
