Traditionally, magic-links have not been a well-understood topic in Linux. Given the new changes in their semantics (related to the link mode of trailing magic-links), it seems like a good opportunity to shine more light on magic-links and their semantics. Signed-off-by: Aleksa Sarai <cyphar@xxxxxxxxxx> --- man7/path_resolution.7 | 15 +++++++++++++++ man7/symlink.7 | 39 ++++++++++++++++++++++++++++++--------- 2 files changed, 45 insertions(+), 9 deletions(-) diff --git a/man7/path_resolution.7 b/man7/path_resolution.7 index 07664ed8faec..46f25ec4cdfa 100644 --- a/man7/path_resolution.7 +++ b/man7/path_resolution.7 @@ -136,6 +136,21 @@ we are just creating it. The details on the treatment of the final entry are described in the manual pages of the specific system calls. +.PP +Since Linux 5.FOO, if the final entry is a "magic-link" (see +.BR symlink (7)), +and the user is attempting to +.BR open (2) +it, then there is an additional permission-related restriction applied to the +operation: the requested access mode must not exceed the "link mode" of the +magic-link (unlike ordinary symlinks, magic-links have their own file mode.) +For example, if +.I /proc/[pid]/fd/[num] +has a link mode of +.BR 0500 , +unprivileged users are not permitted to +.BR open () +the magic-link for writing. .SS . and .. By convention, every directory has the entries "." and "..", which refer to the directory itself and to its parent directory, diff --git a/man7/symlink.7 b/man7/symlink.7 index 9f5bddd5dc21..33f0ec703acd 100644 --- a/man7/symlink.7 +++ b/man7/symlink.7 @@ -84,6 +84,25 @@ as they are implemented on Linux and other systems, are outlined here. It is important that site-local applications also conform to these rules, so that the user interface can be as consistent as possible. +.SS Magic-links +There is a special class of symlink-like objects known as "magic-links" which +can be found in certain pseudo-filesystems such as +.BR proc (5) +(examples include +.IR /proc/[pid]/exe " and " /proc/[pid]/fd/* .) +Unlike normal symlinks, magic-links are not resolved through +pathname-expansion, but instead act as direct references to the kernel's own +representation of a file handle. As such, these magic-links allow users to +access files which cannot be referenced with normal paths (such as unlinked +files still referenced by a running program.) +.PP +Because they can bypass ordinary +.BR mount_namespaces (7)-based +restrictions, magic-links have been used as attack vectors in various exploits. +As such (since Linux 5.FOO), there are additional restrictions placed on the +re-opening of magic-links (see +.BR path_resolution (7) +for more details.) .SS Symbolic link ownership, permissions, and timestamps The owner and group of an existing symbolic link can be changed using @@ -99,16 +118,18 @@ of a symbolic link can be changed using or .BR lutimes (3). .PP -On Linux, the permissions of a symbolic link are not used -in any operations; the permissions are always -0777 (read, write, and execute for all user categories), .\" Linux does not currently implement an lchmod(2). -and can't be changed. -(Note that there are some "magic" symbolic links in the -.I /proc -directory tree\(emfor example, the -.IR /proc/[pid]/fd/* -files\(emthat have different permissions.) +On Linux, the permissions of an ordinary symbolic link are not used in any +operations; the permissions are always 0777 (read, write, and execute for all +user categories), and can't be changed. +.PP +However, magic-links do not follow this rule. They can have a non-0777 mode, +which is used for permission checks when the final +component of an +.BR open (2)'s +path is a magic-link (see +.BR path_resolution (7).) + .\" .\" The .\" 4.4BSD -- 2.23.0
