On 2020-01-30, Matthew Wilcox <willy@xxxxxxxxxxxxx> wrote: > On Thu, Jan 30, 2020 at 05:27:50PM -0700, Ross Zwisler wrote: > > For mounts that have the new "nosymfollow" option, don't follow > > symlinks when resolving paths. The new option is similar in spirit to > > the existing "nodev", "noexec", and "nosuid" options. Various BSD > > variants have been supporting the "nosymfollow" mount option for a > > long time with equivalent implementations. > > > > Note that symlinks may still be created on file systems mounted with > > the "nosymfollow" option present. readlink() remains functional, so > > user space code that is aware of symlinks can still choose to follow > > them explicitly. > > > > Setting the "nosymfollow" mount option helps prevent privileged > > writers from modifying files unintentionally in case there is an > > unexpected link along the accessed path. The "nosymfollow" option is > > thus useful as a defensive measure for systems that need to deal with > > untrusted file systems in privileged contexts. > > The openat2 series was just merged yesterday which includes a > LOOKUP_NO_SYMLINKS option. Is this enough for your needs, or do you > need the mount option? I have discussed a theoretical "noxdev" mount option (which is effectively LOOKUP_NO_XDEV) with Howells (added to Cc) in the past, and the main argument for having a mount option is that you can apply the protection to older programs without having to rewrite them to use openat2(2). However, the underlying argument for "noxdev" was that you could use it to constrain something like "tar -xf" inside a mountpoint (which could -- in principle -- be a bind-mount). I'm not so sure that "nosymfollow" has similar "obviously useful" applications (though I'd be happy to be proven wrong). If FreeBSD also has "nosymfollow", are there many applications where it is used over O_BENEATH (and how many would be serviced by LOOKUP_NO_SYMLINKS)? -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH <https://www.cyphar.com/>
Attachment:
signature.asc
Description: PGP signature