From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753523AbdKXLwv (ORCPT ); Fri, 24 Nov 2017 06:52:51 -0500 Received: from smtp-out4.electric.net ([192.162.216.182]:63525 "EHLO smtp-out4.electric.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753480AbdKXLws (ORCPT ); Fri, 24 Nov 2017 06:52:48 -0500 From: David Laight To: "'Salvatore Mesoraca'" CC: Alan Cox , "linux-kernel@vger.kernel.org" , Kernel Hardening , "linux-fsdevel@vger.kernel.org" , Alexander Viro , Jann Horn , Kees Cook , "Solar Designer" , "Eric W. Biederman" Subject: RE: [PATCH v3 2/2] Protected O_CREAT open in sticky directories Thread-Topic: [PATCH v3 2/2] Protected O_CREAT open in sticky directories Thread-Index: AQHTY7JHoPTLgqi4okeYgYQKKgWbF6MjW80wgAAPyICAAAHpkA== Date: Fri, 24 Nov 2017 11:53:01 +0000 Message-ID: References: <1511337706-8297-1-git-send-email-s.mesoraca16@gmail.com> <1511337706-8297-3-git-send-email-s.mesoraca16@gmail.com> <20171122165144.07aea7ac@alans-desktop> <33dcc007e92349999ce77bf45825be22@AcuMS.aculab.com> In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.202.99.200] Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 X-Outbound-IP: 156.67.243.126 X-Env-From: David.Laight@ACULAB.COM X-Proto: esmtps X-Revdns: X-HELO: AcuMS.aculab.com X-TLS: TLSv1.2:ECDHE-RSA-AES256-SHA384:256 X-Authenticated_ID: X-PolicySMART: 3396946, 3397078 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by nfs id vAOBqtbW010226 From: Salvatore Mesoraca [mailto:s.mesoraca16@gmail.com] > Sent: 24 November 2017 11:44 > > 2017-11-24 11:53 GMT+01:00 David Laight : > > From: Alan Cox > >> Sent: 22 November 2017 16:52 > >> > >> On Wed, 22 Nov 2017 09:01:46 +0100 > >> Salvatore Mesoraca wrote: > >> > >> > Disallows O_CREAT open missing the O_EXCL flag, in world or > >> > group writable directories, even if the file doesn't exist yet. > >> > With few exceptions (e.g. shared lock files based on flock()) > >> > >> Enough exceptions to make it a bad idea. > >> > >> Firstly if you care this much *stop* having shared writable directories. > >> We have namespaces, you don't need them. You can give every user their > >> own /tmp etc. > > > > Looks like a very bad idea to me as well. > > > > Doesn't this stop all shell redirects into a shared /tmp ? > > I'm pretty sure most programs use O_CREAT | O_TRUNC for output > > files - they'll all stop working. > > If some program does such a thing, that's a potential vulnerability. > With "protected_hardlinks" you are, in most cases, safe. > But, still, that program has a bug and having this feature enabled will > help you notice it soon. > For that matter, I'm using this patch on my system and I don't have any > program behaving like this. Hmmm.... a quick strace shows cp and vi doing stat("/tmp/foo") and then open(O_WRONLY|O_TRUNC) if it exists and O_CREATE|O_EXCL if it doesn't. I can't help feeling that is just hiding a race. David From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Laight Date: Fri, 24 Nov 2017 11:53:01 +0000 Message-ID: References: <1511337706-8297-1-git-send-email-s.mesoraca16@gmail.com> <1511337706-8297-3-git-send-email-s.mesoraca16@gmail.com> <20171122165144.07aea7ac@alans-desktop> <33dcc007e92349999ce77bf45825be22@AcuMS.aculab.com> In-Reply-To: Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Subject: [kernel-hardening] RE: [PATCH v3 2/2] Protected O_CREAT open in sticky directories To: 'Salvatore Mesoraca' Cc: Alan Cox , "linux-kernel@vger.kernel.org" , Kernel Hardening , "linux-fsdevel@vger.kernel.org" , Alexander Viro , Jann Horn , Kees Cook , Solar Designer , "Eric W. Biederman" List-ID: RnJvbTogU2FsdmF0b3JlIE1lc29yYWNhIFttYWlsdG86cy5tZXNvcmFjYTE2QGdtYWlsLmNvbV0N Cj4gU2VudDogMjQgTm92ZW1iZXIgMjAxNyAxMTo0NA0KPiANCj4gMjAxNy0xMS0yNCAxMTo1MyBH TVQrMDE6MDAgRGF2aWQgTGFpZ2h0IDxEYXZpZC5MYWlnaHRAYWN1bGFiLmNvbT46DQo+ID4gRnJv bTogQWxhbiBDb3gNCj4gPj4gU2VudDogMjIgTm92ZW1iZXIgMjAxNyAxNjo1Mg0KPiA+Pg0KPiA+ PiBPbiBXZWQsIDIyIE5vdiAyMDE3IDA5OjAxOjQ2ICswMTAwDQo+ID4+IFNhbHZhdG9yZSBNZXNv cmFjYSA8cy5tZXNvcmFjYTE2QGdtYWlsLmNvbT4gd3JvdGU6DQo+ID4+DQo+ID4+ID4gRGlzYWxs b3dzIE9fQ1JFQVQgb3BlbiBtaXNzaW5nIHRoZSBPX0VYQ0wgZmxhZywgaW4gd29ybGQgb3INCj4g Pj4gPiBncm91cCB3cml0YWJsZSBkaXJlY3RvcmllcywgZXZlbiBpZiB0aGUgZmlsZSBkb2Vzbid0 IGV4aXN0IHlldC4NCj4gPj4gPiBXaXRoIGZldyBleGNlcHRpb25zIChlLmcuIHNoYXJlZCBsb2Nr IGZpbGVzIGJhc2VkIG9uIGZsb2NrKCkpDQo+ID4+DQo+ID4+IEVub3VnaCBleGNlcHRpb25zIHRv IG1ha2UgaXQgYSBiYWQgaWRlYS4NCj4gPj4NCj4gPj4gRmlyc3RseSBpZiB5b3UgY2FyZSB0aGlz IG11Y2ggKnN0b3AqIGhhdmluZyBzaGFyZWQgd3JpdGFibGUgZGlyZWN0b3JpZXMuDQo+ID4+IFdl IGhhdmUgbmFtZXNwYWNlcywgeW91IGRvbid0IG5lZWQgdGhlbS4gWW91IGNhbiBnaXZlIGV2ZXJ5 IHVzZXIgdGhlaXINCj4gPj4gb3duIC90bXAgZXRjLg0KPiA+DQo+ID4gTG9va3MgbGlrZSBhIHZl cnkgYmFkIGlkZWEgdG8gbWUgYXMgd2VsbC4NCj4gPg0KPiA+IERvZXNuJ3QgdGhpcyBzdG9wIGFs bCBzaGVsbCByZWRpcmVjdHMgaW50byBhIHNoYXJlZCAvdG1wID8NCj4gPiBJJ20gcHJldHR5IHN1 cmUgbW9zdCBwcm9ncmFtcyB1c2UgT19DUkVBVCB8IE9fVFJVTkMgZm9yIG91dHB1dA0KPiA+IGZp bGVzIC0gdGhleSdsbCBhbGwgc3RvcCB3b3JraW5nLg0KPiANCj4gSWYgc29tZSBwcm9ncmFtIGRv ZXMgc3VjaCBhIHRoaW5nLCB0aGF0J3MgYSBwb3RlbnRpYWwgdnVsbmVyYWJpbGl0eS4NCj4gV2l0 aCAicHJvdGVjdGVkX2hhcmRsaW5rcyIgeW91IGFyZSwgaW4gbW9zdCBjYXNlcywgc2FmZS4NCj4g QnV0LCBzdGlsbCwgdGhhdCBwcm9ncmFtIGhhcyBhIGJ1ZyBhbmQgaGF2aW5nIHRoaXMgZmVhdHVy ZSBlbmFibGVkIHdpbGwNCj4gaGVscCB5b3Ugbm90aWNlIGl0IHNvb24uDQo+IEZvciB0aGF0IG1h dHRlciwgSSdtIHVzaW5nIHRoaXMgcGF0Y2ggb24gbXkgc3lzdGVtIGFuZCBJIGRvbid0IGhhdmUg YW55DQo+IHByb2dyYW0gYmVoYXZpbmcgbGlrZSB0aGlzLg0KDQpIbW1tLi4uLiBhIHF1aWNrIHN0 cmFjZSBzaG93cyBjcCBhbmQgdmkgZG9pbmcgc3RhdCgiL3RtcC9mb28iKSBhbmQgdGhlbg0Kb3Bl bihPX1dST05MWXxPX1RSVU5DKSBpZiBpdCBleGlzdHMgYW5kIE9fQ1JFQVRFfE9fRVhDTCBpZiBp dCBkb2Vzbid0Lg0KSSBjYW4ndCBoZWxwIGZlZWxpbmcgdGhhdCBpcyBqdXN0IGhpZGluZyBhIHJh Y2UuDQoNCglEYXZpZA0KDQo=