On Wed, Oct 19, 2016, at 07:28 AM, Mattias Nissler wrote: > > Note that O_NOFOLLOW only affects the final path component. If there's > a symlink in any of the parent directories, that'll still be traversed > even with O_NOFOLLOW. This situation is less risky as an attacker will > have to deal with the restriction of a fixed filename in the last > component, but might still be exploitable. Yeah, I meant that you'd walk the path string in userspace one by one. That said the "fstat at the end and check device" seems a lot better, or perhaps the mount namespaces could help. Also, don't forget about `setfsuid()`. > The difficulty lies in applying these measures of precaution > system-wide. This affects most init scripts and daemons, and > everything else that keeps state on the writable file system. One thing to note is that at least in the freedesktop.org/GNOME etc. side of things, we basically never have privileged processes accessing user home directories anymore. A good example is that GDM used to read ~username/.config/face.png or something like that to show the user's picture on the login screen, and that was subject to many of the same risks. But we've basically across the board migrated to a model where the unprivileged user session talks to privileged daemons via a DBus (or other) API. In this case, the picture data is stored in accountsservice. NetworkManager is another big example of this, where e.g. WiFi credentials can be per user, and the session passes them to the privileged daemon over DBus, rather than having the privileged process try to parse config files in the user's homedir. It's a lot easier to secure. -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html