Re: [RFC] namei: prevent sgid-hardlinks for unmapped gids

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Nov 04, 2015 at 09:59:55AM -0800, Andy Lutomirski wrote:
> On Tue, Nov 3, 2015 at 10:58 PM, Willy Tarreau <w@xxxxxx> wrote:
> > On Tue, Nov 03, 2015 at 03:29:55PM -0800, Kees Cook wrote:
> >> Using "write" does kill the set-gid bit. I haven't looked at
> >> why.
> >> Al or anyone else, is there a meaningful distinction here?
> >
> > I remember this one, I got caught once while trying to put a shell into
> > a suid-writable file to get some privileges someone forgot to offer me :-)
> >
> > It's done by should_remove_suid() which is called upon write() and truncate().
> >
> >> Should the
> >> mmap MAP_SHARED-write trigger the loss of the set-gid bit too? While
> >> holding the file open with either open or mmap, I get a Text-in-use
> >> error, so I would kind of expect the same behavior between either
> >> close() and munmap(). I wonder if this is a bug, and if so, then your
> >> link patch is indeed useful again. :)
> >
> > I don't see how this could be done with mmap(). Maybe we have a way to know
> > when the first write is performed via this path, I have no idea.
> 
> do_wp_page might be a decent bet.

Yep probably at the same place where we update the file's time ?

That said I never feel completely comfortable with changing a file's
permissions this way, I always fear it could break backup/restore
applications. Let's imagine for a minute that a restore does this :

 extract(const char *file_name, int file_perms) {
   fd = open(".tmpfile", O_CREAT, file_perms);
   mmap(fd);
   /* actually write file */
   close(fd);
   unlink(real_file_name);
   rename(".tmpfile", file_name);
 }

Yes I know it's not safe to do the chmod before writing to the file
but we could imagine some situations where it makes sense to be done
this way (eg: if the file is put into a protected directory), and
anyway this possibility is provided by open() and creat() so it is
legitimate to imagine these ones could exist.

Such a change would slightly modify semantics and affect such use cases
*if they exist*, just like using write() instead of mmap() would fail.
We could imagine having a sysctl to disable this strengthening, but it
is probably not the best solution for the long term either.

Just my two cents,
Willy

--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux