linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Jann Horn <jannh@google.com>
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: Casey Schaufler <casey@schaufler-ca.com>,
	Andy Lutomirski <luto@amacapital.net>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	linux-fsdevel <linux-fsdevel@vger.kernel.org>,
	David Howells <dhowells@redhat.com>,
	Al Viro <viro@zeniv.linux.org.uk>, Karel Zak <kzak@redhat.com>,
	Jeff Layton <jlayton@redhat.com>,
	Miklos Szeredi <mszeredi@redhat.com>,
	Nicolas Dichtel <nicolas.dichtel@6wind.com>,
	Christian Brauner <christian@brauner.io>,
	Lennart Poettering <lennart@poettering.net>,
	Linux API <linux-api@vger.kernel.org>,
	Ian Kent <raven@themaw.net>,
	LSM <linux-security-module@vger.kernel.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: file metadata via fs API (was: [GIT PULL] Filesystem Information)
Date: Tue, 11 Aug 2020 22:36:58 +0200	[thread overview]
Message-ID: <CAG48ez3Li+HjJ6-wJwN-A84WT2MFE131Dt+6YiU96s+7NO5wkQ@mail.gmail.com> (raw)
In-Reply-To: <CAJfpegvUBpb+C2Ab=CLAwWffOaeCedr-b7ZZKZnKvF4ph1nJrw@mail.gmail.com>

On Tue, Aug 11, 2020 at 10:29 PM Miklos Szeredi <miklos@szeredi.hu> wrote:
> On Tue, Aug 11, 2020 at 6:17 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
> > Since a////////b has known meaning, and lots of applications
> > play loose with '/', its really dangerous to treat the string as
> > special. We only get away with '.' and '..' because their behavior
> > was defined before many of y'all were born.
>
> So the founding fathers have set things in stone and now we can't
> change it.   Right?
>
> Well that's how it looks... but let's think a little; we have '/' and
> '\0' that can't be used in filenames.  Also '.' and '..' are
> prohibited names. It's not a trivial limitation, so applications are
> probably not used to dumping binary data into file names.  And that
> means it's probably possible to find a fairly short combination that
> is never used in practice (probably containing the "/." sequence).
> Why couldn't we reserve such a combination now?

This isn't just about finding a string that "is never used in
practice". There is userspace software that performs security checks
based on the precise semantics that paths have nowadays, and those
security checks will sometimes happily let you use arbitrary binary
garbage in path components as long as there's no '\0' or '/' in there
and the name isn't "." or "..", because that's just how paths work on
Linux.

If you change the semantics of path strings, you'd have to be
confident that the new semantics fit nicely with all the path
validation routines that exist scattered across userspace, and don't
expose new interfaces through file server software and setuid binaries
and so on.

I really don't like this idea.

  reply	other threads:[~2020-08-11 20:37 UTC|newest]

Thread overview: 89+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-03 15:27 [GIT PULL] Mount notifications David Howells
2020-08-03 15:49 ` [GIT PULL] Filesystem Information David Howells
2020-08-03 16:42   ` Miklos Szeredi
2020-08-04  2:15     ` Ian Kent
2020-08-04 14:36       ` Miklos Szeredi
2020-08-05  1:33         ` Ian Kent
2020-08-05  8:00           ` Miklos Szeredi
2020-08-05 11:13             ` Ian Kent
2020-08-05  8:24         ` file metadata via fs API (was: [GIT PULL] Filesystem Information) Miklos Szeredi
2020-08-11 13:54           ` Miklos Szeredi
2020-08-11 14:08             ` Al Viro
2020-08-11 14:22               ` Miklos Szeredi
2020-08-11 14:31                 ` Al Viro
     [not found]                   ` <CAAgocE07=vVKpQhG+rjEGO=NEBKZ02gjg4TRPxECAc+RKrzn=Q@mail.gmail.com>
2020-08-11 14:36                     ` Al Viro
2020-08-11 14:36                   ` Miklos Szeredi
2020-08-11 14:42                     ` Al Viro
2020-08-11 14:47                       ` Miklos Szeredi
2020-08-11 15:20             ` Linus Torvalds
2020-08-11 15:30               ` Miklos Szeredi
2020-08-11 16:05                 ` Linus Torvalds
2020-08-11 18:49                   ` Miklos Szeredi
2020-08-11 19:31                     ` Lennart Poettering
2020-08-11 19:50                       ` Christian Brauner
2020-08-11 19:39                   ` Christian Brauner
2020-08-12  0:53                     ` Ian Kent
2020-08-11 15:39               ` Andy Lutomirski
2020-08-11 16:17                 ` Casey Schaufler
2020-08-11 16:30                   ` Linus Torvalds
2020-08-11 20:28                   ` Miklos Szeredi
2020-08-11 20:36                     ` Jann Horn [this message]
2020-08-11 20:56                       ` Miklos Szeredi
2020-08-11 21:17                         ` Andy Lutomirski
2020-08-11 21:18                         ` Linus Torvalds
2020-08-12  7:23                           ` Miklos Szeredi
2020-08-12 14:39                             ` Al Viro
2020-08-12 14:46                               ` Miklos Szeredi
2020-08-12 15:08                                 ` Al Viro
2020-08-12 15:13                                   ` Miklos Szeredi
2020-08-12 16:33                                     ` Al Viro
2020-08-12 17:16                                       ` Miklos Szeredi
2020-08-12 17:39                                         ` Al Viro
2020-08-12 18:33                                           ` Al Viro
2020-08-12 21:30                                             ` Al Viro
2020-08-18  9:41                                               ` Miklos Szeredi
2020-08-18  9:30                                             ` Miklos Szeredi
2020-08-12 15:22                                   ` David Howells
2020-08-11 21:20                     ` Al Viro
2020-08-11 21:35                     ` Casey Schaufler
2020-08-11 16:05               ` Al Viro
2020-08-11 16:09                 ` Linus Torvalds
2020-08-11 16:39                   ` Al Viro
2020-08-12 10:14               ` Karel Zak
2020-08-12 13:09                 ` Miklos Szeredi
2020-08-12 13:33                 ` David Howells
2020-08-12 13:54                   ` Miklos Szeredi
2020-08-12  0:05             ` David Howells
2020-08-12  7:55               ` Miklos Szeredi
2020-08-12  8:29               ` David Howells
2020-08-12  8:37                 ` Miklos Szeredi
2020-08-12  9:43                   ` file metadata via fs API Steven Whitehouse
2020-08-12 10:04                     ` Miklos Szeredi
2020-08-12 11:28                       ` Karel Zak
2020-08-12 12:43                         ` Miklos Szeredi
2020-08-13  8:52                           ` Karel Zak
2020-08-12 13:06                         ` David Howells
2020-08-13  1:01                           ` Ian Kent
2020-08-12 18:18               ` file metadata via fs API (was: [GIT PULL] Filesystem Information) Linus Torvalds
2020-08-12 19:34                 ` file metadata via fs API Steven Whitehouse
2020-08-12 19:50                   ` Linus Torvalds
2020-08-13  3:44                     ` Ian Kent
2020-08-13 10:36                     ` Karel Zak
2020-08-14  7:58                     ` Lennart Poettering
2020-08-17 11:32                     ` Steven Whitehouse
2020-08-17 17:15                       ` Linus Torvalds
2020-08-17 22:44                         ` Linus Torvalds
2020-08-18 12:50                           ` Miklos Szeredi
2020-08-18 18:51                             ` Linus Torvalds
2020-08-18 20:18                               ` Miklos Szeredi
2020-08-18 20:53                                 ` Linus Torvalds
2020-08-21 13:17                                   ` Miklos Szeredi
2020-08-19  2:29                               ` Al Viro
2020-08-13  3:53                 ` file metadata via fs API (was: [GIT PULL] Filesystem Information) Jeffrey E Altman
2020-08-14 17:05                   ` Linus Torvalds
2020-08-18 15:01                     ` Jeffrey E Altman
2020-08-14  8:06                 ` Lennart Poettering
2020-08-12 13:54             ` David Howells
2020-08-12 14:10               ` Miklos Szeredi
2020-08-12 14:23               ` David Howells
2020-08-03 22:48 ` [GIT PULL] Mount notifications Ian Kent

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAG48ez3Li+HjJ6-wJwN-A84WT2MFE131Dt+6YiU96s+7NO5wkQ@mail.gmail.com \
    --to=jannh@google.com \
    --cc=casey@schaufler-ca.com \
    --cc=christian@brauner.io \
    --cc=dhowells@redhat.com \
    --cc=jlayton@redhat.com \
    --cc=kzak@redhat.com \
    --cc=lennart@poettering.net \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=miklos@szeredi.hu \
    --cc=mszeredi@redhat.com \
    --cc=nicolas.dichtel@6wind.com \
    --cc=raven@themaw.net \
    --cc=torvalds@linux-foundation.org \
    --cc=viro@zeniv.linux.org.uk \
    --subject='Re: file metadata via fs API (was: [GIT PULL] Filesystem Information)' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).