On 9/15/22 15:40, Philip Prindeville wrote:
I was thinking of the case where the directory containing the keys (as configured) is correctly owned, but contains a symlink pointing outside of that directory somewhere else... say to a file owned by an ordinary user.
In that case, as has been pointed out, it might be sufficient to just pay attention to the owner/group/modes of the file and reject them if:
(1) the file isn't 600 or 400;
(2) the file isn't owned by root or the app-id that the app runs at.
Do we agree on that?
Yes, that sounds very good.
That's the potential problem with symlinks. Rarely should they ever
point to something that is under the control of an unprivileged user.
Exceptions might be in cases where you actually do want a configuration
for that user to come from a directory that they control ... but that
should only be done in situations where that input is considered
untrusted and is stringently validated and sanitized before it is used.
If symlinks are used responsibly, they won't have security risks. In
general, if the program checks the ownership and permissions of the
actual file before using it, it shouldn't matter whether there is a
symlink or not.
Thanks,
Shawn
