On Mon, Oct 17, 2016, at 09:02 AM, Mattias Nissler wrote: > OK, no more feedback thus far. Is there generally any interest in a > mount option to avoid path name aliasing resulting in target file > confusion? Perhaps a version that only disables symlinks instead of > also hard-disabling files hard-linked to multiple locations (those are > much lower risk for the situation I care about)? So the situation here is a (privileged) process that is trying to read/write to a filesystem tree writable by other processes that are in a separate security domain? That's a classic situation that requires extreme care, and I am doubtful that symlinks are the only issue you're facing. For example, if this process is also *parsing* any data there, there's another whole source of risk. I suspect for you it wouldn't be too hard to have a "follow untrusted path" helper function, it's possible to implement in userspace safely with O_NOFOLLOW etc. Regardless too, it sounds like what you want more is a "same filesystem" traversal (stat and compare devices). Or does it even need to handle full traversal? Would it have mitigated the security issue to fstat() any files you opened and verified they were from the writable partition you expected? -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
