On Tue, Jun 01, 2010 at 03:55:29AM -0400, Christoph Hellwig wrote: > On Mon, May 31, 2010 at 08:24:23PM -0700, Kees Cook wrote: > > Well, that's what I'm trying to understand. It sounds like there is some > > general agreement that the issue needs to be solved, but some folks do not > > want it in the core VFS. As in, the objections aren't with how symlink > > behavior is changed, just that the changes would be in the fs/ directory. > > No, it's not. It's not a change we can make for the default that > everyone uses. If you're keen to mess up installations you control (aka > ubuntu valuedadd viper) push it into a special LSM or rather a > non-standard rule for it. It really doesn't matter if it's in fs/ or > security/ but it's simplify not going to happen by default. Okay, thanks; that clarifies some of my confusion. It sounds like there are some people that genuinely believe that the symlink-following logic should not change. I would pose, then, a question of "what are legitimate and safe situations that require following cross-user symlinks in a sticky world-writable directory?" And if the answers to that aren't very convincing, then I think it's reasonable to include at least an option to change the behavior. > > My rationale is that if it's in commoncaps, it's effective for everyone, so > > it might as well be in core VFS. If the VFS objections really do boil down > > to "not in fs/" then I'm curious if doing this in commoncaps is acceptable. > > If you think the objection is about having things in fs/ you're smoking > some really bad stuff. Right, that was my point exactly. It didn't make sense to object to it being in fs/. The objection was to having it in the kernel at all. So now I can focus my efforts on convincing people about the value of making this a setting in the kernel, like turning on or off TCP syn-flood protection. Some people may demand it, some people may hate it, but the choice it up to the end user. -Kees -- Kees Cook Ubuntu Security Team -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html