On Tue, Jun 01, 2010 at 10:45:27PM +0100, Al Viro wrote: > On Tue, Jun 01, 2010 at 02:07:34PM -0700, Kees Cook wrote: > > > I don't buy it. If we are concerned about the symlinks in the middle of > > > pathname, your checks are useless (mkdir /tmp/a, ln -s whatever /tmp/a/b, > > > have victim open /tmp/a/b/something). If we are not, then your checks are > > > in the wrong place. > > > > Well, that's not traditionally where the problems happen, but I have no > > problem strengthening the protection to include a full examination of the > > entire path looking for sticky/world-writable directories. > > > > If not, what is the right place for the checks? > > Handling of trailing symlink on open(). At most. What would this look like? Moving the checks into may_open()? > And I wouldn't be > surprised if the real answer turns out to include "... if we have > O_CREAT in flags", but that needs to be determined. I think even without O_CREAT the protection is needed (some of the /tmp-races are things like reading a file pointed to by a symlink and spewing the contents to stderr, etc). Thanks, -Kees -- Kees Cook Ubuntu Security Team -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
