From: Aleksa Sarai <asarai@suse.de>
To: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
Cc: Aleksa Sarai <cyphar@cyphar.com>,
Al Viro <viro@zeniv.linux.org.uk>,
Christian Brauner <christian@brauner.io>,
linux-man@vger.kernel.org, linux-api@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH man-pages v2 2/2] openat2.2: document new openat2(2) syscall
Date: Tue, 14 Apr 2020 20:35:24 +1000 [thread overview]
Message-ID: <20200414103524.wjhyfobzpjk236o7@yavin.dot.cyphar.com> (raw)
In-Reply-To: <cd1438ab-cfc6-b286-849e-d7de0d5c7258@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 7571 bytes --]
On 2020-04-13, Michael Kerrisk (man-pages) <mtk.manpages@gmail.com> wrote:
> >>>> .\" FIXME I find the "previously-functional systems" in the previous
> >>>> .\" sentence a little odd (since openat2() ia new sysycall), so I would
> >>>> .\" like to clarify a little...
> >>>> .\" Are you referring to the scenario where someone might take an
> >>>> .\" existing application that uses openat() and replaces the uses
> >>>> .\" of openat() with openat2()? In which case, is it correct to
> >>>> .\" understand that you mean that one should not just indiscriminately
> >>>> .\" add the RESOLVE_NO_XDEV flag to all of the openat2() calls?
> >>>> .\" If I'm not on the right track, could you point me in the right
> >>>> .\" direction please.
> >>>
> >>> This is mostly meant as a warning to hopefully avoid applications
> >>> because the developer didn't realise that system paths may contain
> >>> symlinks or bind-mounts. For an application which has switched to
> >>> openat2() and then uses RESOLVE_NO_SYMLINKS for a non-security reason,
> >>> it's possible that on some distributions (or future versions of a
> >>> distribution) that their application will stop working because a system
> >>> path suddenly contains a symlink or is a bind-mount.
> >>>
> >>> This was a concern which was brought up on LWN some time ago. If you can
> >>> think of a phrasing that makes this more clear, I'd appreciate it.
> >>
> >> Thanks. I've made the text:
> >>
> >> Applications that employ the RESOLVE_NO_XDEV flag
> >> are encouraged to make its use configurable (unless
> >> it is used for a specific security purpose), as bind
> >> mounts are widely used by end-users. Setting this
> >> flag indiscriminately—i.e., for purposes not specif‐
> >> ically related to security—for all uses of openat2()
> >> may result in spurious errors on previously-func‐
> >> tional systems. This may occur if, for example, a
> >> system pathname that is used by an application is
> >> modified (e.g., in a new distribution release) so
> >> that a pathname component (now) contains a bind
> >> mount.
> >>
> >> Okay?
> >
> > Yup,
>
> Thanks.
>
> > and the same text should be used for the same warning I gave for
> > RESOLVE_NO_SYMLINKS (for the same reason, because system paths may
> > switch to symlinks -- the prime example being what Arch Linux did
> > several years ago).
>
> Okay -- I added similar text to RESOLVE_NO_SYMLINKS.
Much appreciated.
> >>>> .\" FIXME: what specific details in symlink(7) are being referred
> >>>> .\" by the following sentence? It's not clear.
> >>>
> >>> The section on magic-links, but you're right that the sentence ordering
> >>> is a bit odd. It should probably go after the first sentence.
> >>
> >> I must admit that I'm still confused. There's only the briefest of
> >> mentions of magic links in symlink(7). Perhaps that needs to be fixed?
> >
> > It wouldn't hurt to add a longer description of magic-links in
> > symlink(7). I'll send you a small patch to beef up the description (I
> > had planned to include a longer rewrite with the O_EMPTYPATH patches but
> > those require quite a bit more work to land).
>
> That would be great. Thank you!
I'll cook something up later this week.
> >> And, while I think of it, the text just preceding that FIXME says:
> >>
> >> Due to the potential danger of unknowingly opening
> >> these magic links, it may be preferable for users to
> >> disable their resolution entirely.
> >>
> >> This sentence reads a little strangely. Could you please give me some
> >> concrete examples, and I will try rewording that sentence a bit.
> >
> > The primary example is that certain files (such as tty devices) are
> > best not opened by an unsuspecting program (if you do not have a
> > controlling TTY, and you open such a file that console becomes your
> > controlling TTY unless you use O_NOCTTY).
> >
> > But more generally, magic-links allow programs to be "beamed" all over
> > the system (bypassing ordinary mount namespace restrictions). Since they
> > are fairly rarely used intentionally by most programs, this is more of a
> > tip to programmers that maybe they should play it safe and disallow
> > magic-links unless they are expecting to have to use them.
>
>
> I've reworked the text on RESOLVE_NO_MAGICLINKS substantially:
>
> RESOLVE_NO_MAGICLINKS
> Disallow all magic-link resolution during path reso‐
> lution.
>
> Magic links are symbolic link-like objects that are
> most notably found in proc(5); examples include
> /proc/[pid]/exe and /proc/[pid]/fd/*. (See sym‐
> link(7) for more details.)
>
> Unknowingly opening magic links can be risky for
> some applications. Examples of such risks include
> the following:
>
> · If the process opening a pathname is a controlling
> process that currently has no controlling terminal
> (see credentials(7)), then opening a magic link
> inside /proc/[pid]/fd that happens to refer to a
> terminal would cause the process to acquire a con‐
> trolling terminal.
>
> · In a containerized environment, a magic link
> inside /proc may refer to an object outside the
> container, and thus may provide a means to escape
> from the container.
>
> [The above example derives from https://lwn.net/Articles/796868/]
>
> Because of such risks, an application may prefer to
> disable magic link resolution using the
> RESOLVE_NO_MAGICLINKS flag.
>
> If the trailing component (i.e., basename) of path‐
> name is a magic link, and how.flags contains both
> O_PATH and O_NOFOLLOW, then an O_PATH file descrip‐
> tor referencing the magic link will be returned.
>
> How does the above look?
The changes look correct, though you could end up going through procfs
even if you weren't resolving a path inside proc directly (since you can
bind-mount symlinks or have a symlink to procfs). But I'm not sure if
it's necessary to outline all the ways a program could be tricked into
doing something unintended.
> Also, regarding the last paragraph, I have a question. The
> text doesn't seem quite to relate to the rest of the discussion.
> Should it be saying something like:
>
> If the trailing component (i.e., basename) of pathname is a magic link,
> **how.resolve contains RESOLVE_NO_MAGICLINKS,**
> and how.flags contains both O_PATH and O_NOFOLLOW, then an O_PATH
> file descriptor referencing the magic link will be returned.
>
> ?
Yes, that is what I meant to write -- and I believe that the
RESOLVE_NO_SYMLINKS section is missing similar text in the second
paragraph (except it should refer to RESOLVE_NO_SYMLINKS, obviously).
Thanks!
--
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2020-04-14 10:53 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-02 15:19 [PATCH man-pages v2 0/2] document openat2(2) Aleksa Sarai
2020-02-02 15:19 ` [PATCH man-pages v2 1/2] path_resolution.7: update to mention openat2(2) features Aleksa Sarai
2020-03-30 20:38 ` Michael Kerrisk (man-pages)
2020-02-02 15:19 ` [PATCH man-pages v2 2/2] openat2.2: document new openat2(2) syscall Aleksa Sarai
2020-03-30 9:08 ` Michael Kerrisk (man-pages)
2020-03-30 9:20 ` Aleksa Sarai
2020-03-30 9:36 ` Michael Kerrisk (man-pages)
2020-03-30 9:48 ` Aleksa Sarai
2020-03-30 20:43 ` Michael Kerrisk (man-pages)
2020-03-31 14:39 ` Aleksa Sarai
2020-04-01 6:38 ` Michael Kerrisk (man-pages)
2020-04-08 21:29 ` Michael Kerrisk (man-pages)
2020-04-12 16:49 ` Aleksa Sarai
2020-04-13 7:22 ` Michael Kerrisk (man-pages)
2020-04-14 10:35 ` Aleksa Sarai [this message]
2020-04-15 20:24 ` Michael Kerrisk (man-pages)
2020-05-04 10:17 ` Michael Kerrisk (man-pages)
2020-06-10 5:53 ` [PATCH] symlink.7: document magic-links more completely Aleksa Sarai
2020-06-19 13:00 ` Michael Kerrisk (man-pages)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200414103524.wjhyfobzpjk236o7@yavin.dot.cyphar.com \
--to=asarai@suse.de \
--cc=christian@brauner.io \
--cc=cyphar@cyphar.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-man@vger.kernel.org \
--cc=mtk.manpages@gmail.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).