Re: VFS: Dynamic umask for the access rights of linked objects

From: Chris Wright
Date: Wed Mar 01 2006 - 02:53:09 EST


* Kyle Moffett (mrmacman_g4@xxxxxxx) wrote:
> On Feb 28, 2006, at 22:54:15, Hauke Laging wrote:
> >6) In my scenario the VFS would add a step after 4): It would check
> >if the symlink has been created by someone different from the
> >process's uid and from root. If so there is the risk of abuse and
> >the access check would be repeated for the symlink owner.
> >
> >7) The VFS would find out that the symlink owner is not allowed to
> >write to /etc/passwd. Thus the write access is prohibited, even for
> >a process with superuser rights.
>
> Feel free to write an LSM to do this, but it breaks POSIX specs a bit
> and could cause problems with some programs, so it's not likely to
> become the default behavior.

Solar Designer's Openwall Linux patch contains code for these types of
restrictions (at least since 2.2 if not earlier). Idea was stolen and
made into an LSM smth like 4 or 5 years ago. Neither of these have made
it upstream. Attempts have also been made to codify such restrictions
in SELinux policy. Polyinstantiation and per-process namespaces can be
done effectively with code that's now in mainline, and can mitigate much
of this risk.

thanks,
-chris
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/