On Fri, Jan 6, 2012 at 1:58 AM, Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> wrote: > On Fri, 6 Jan 2012 10:43:40 +0100 Ingo Molnar <mingo@xxxxxxx> wrote: >> * Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> wrote: >> > > +config PROTECTED_STICKY_SYMLINKS >> > > + bool "Protect symlink following in sticky world-writable directories" >> > > + default y >> > > + help >> > > + A long-standing class of security issues is the symlink-based >> > > + time-of-check-time-of-use race, most commonly seen in >> > > + world-writable directories like /tmp. The common method of >> > > + exploitation of this flaw is to cross privilege boundaries >> > > + when following a given symlink (i.e. a root process follows >> > > + a malicious symlink belonging to another user). >> > > + >> > > + Enabling this solves the problem by permitting symlinks to be >> > > + followed only when outside a sticky world-writable directory, >> > > + or when the uid of the symlink and follower match, or when >> > > + the directory and symlink owners match. >> > >> > This is all quite misleading. One would expect that >> > CONFIG_PROTECTED_STICKY_SYMLINKS turns the entire feature on >> > or off permanently. ie, it controls whether the code is >> > generated into vmlinux in the usual fashion. But it's not >> > that at all - the user gets the feature whether or not he >> > wants it, and this variable only sets the initial value. >> > >> > Why are we forcing the user to have the feature if he doesn't >> > want it, btw? >> >> Basing on the (not yet fully confirmed) assertion that no apps >> are broken by this change but exploits, I'd argue that this is >> actually the sane and correct semantics for symlinks - i.e. we >> want this to be the default Linux behavior - not just a >> 'feature'. >> >> That way the configuration knobs are compat settings in essence >> - in case some app cares. >> >> If people disagree and want it default off and as a separate >> feature then it has to be modularized out some more. There's >> notable silence from VFS folks on all this so Kees made an >> educated guess. It might be wrong. > > Maybe true for a general purpose computer, but someone who is making a > single-purpose device such as a digital TV or a wifi router won't want > it. > [...] > I'd have thought the way to configure this feature would be to have > CONFIG_PROTECTED_STICKY_SYMLINKS to control the code generation then a > 0 or 1 CONFIG_PROTECTED_STICKY_SYMLINKS_ENABLED to control the initial > setting. This seems like probably the best approach, though I dislike the silliness required in Kconfig to get a boolean into 1/0 form instead of set/unset in way that doesn't require the user to type "1" or "0". I'm happy to do it, though. -Kees -- Kees Cook ChromeOS Security -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
