On Wed, Dec 06, 2023 at 10:10:00PM -0800, Christoph Hellwig wrote: > I really do not thing turning an unknown mode, which means potentially > user controlled data in regular files or symlink bodies into file system > metadata in directories is ever a good idea. Quite contrary, I think > it is a security risk waiting for exploits. So for anything that takes > an unknown inode and turns it into a directory or block/char special > file: NAK. I probably shouldn't have resent this as the COVID fever set in. Granted, I predicted (mostly correctly) that I'd still be a bit messed in the head five days later. block/char/special files... I guess those can just turn into zero length regular files. Would this NAK remain even if there were external corroborating evidence? For example, what if we read the dirents out of the first directory block, seek out parent pointers in the alleged children, and confirm a 1:1 match between the alleged dirents and pptrs? Unprivileged userspace can certain create a regular file N that looks like a dirent block, but it cannot create dangling pptrs back to N to trick the verification algorithm. (Obviously any patch implementing this will come much later in the series) --D
