On Sat, 07 Dec 2024, Christopher Bii wrote: > Hello, > > It is hinted in the configuration files that an attacker could gain access > to arbitrary folders by guessing symlink paths that match exported dirs, > but this is not the case. They can get access to the root export with > certainty by simply symlinking to "../../../../../../../", which will > always return "/". > > This is due to realpath() being called in the main thread which isn't > chrooted, concatenating the result with the export root to create the > export entry's final absolute path which the kernel then exports. > > PS: I already sent this patch to the mailing list about the same subject > but it was poorly formatted. Changes were merged into a single commit. I > have broken it up into smaller commits and made the patch into a single > thread. Pardon the mistake, first contribution. I'm still not convinced there is a vulnerability here, but I might have missed part of the conversation... Could you please spell out in detail the threat scenario that we are trying to defend against?
