Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Sat, 13 Apr 2002 21:49:47 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Sat, 13 Apr 2002 21:49:46 -0400 Received: from cerebus.wirex.com ([65.102.14.138]:49143 "EHLO figure1.int.wirex.com") by vger.kernel.org with ESMTP id ; Sat, 13 Apr 2002 21:49:45 -0400 Date: Sat, 13 Apr 2002 18:49:13 -0700 From: Chris Wright To: Alan Cox Cc: xystrus , linux-kernel@vger.kernel.org Subject: Re: link() security Message-ID: <20020413184913.E6039@figure1.int.wirex.com> Mail-Followup-To: Alan Cox , xystrus , linux-kernel@vger.kernel.org In-Reply-To: <20020411181524.A1463@figure1.int.wirex.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org * Alan Cox (alan@lxorguk.ukuu.org.uk) wrote: > > How practical is it to make this a mount option and to do so cleanly ? Well, it's not too bad. Below is a patch (albeit quick and dirty) that adds a MS_SECURE_LINK mount option to enforce this behaviour. To simplify testing, I cheated and piggy backed the MS_SECURE_LINK option on the MS_NOSUID option. So a simple 'mount -o nosuid,remount /foo' enables this. The secure link test allows a hard link if you own the target file or are in the same group _and_ can (by group) write to the file, or have proper capability, of course. Patch is against 2.4.19-pre5-ac3. cheers, -chris --- 2.4.19-pre5-ac3/fs/namespace.c.link Sat Apr 13 18:06:21 2002 +++ 2.4.19-pre5-ac3/fs/namespace.c Sat Apr 13 18:12:11 2002 @@ -707,8 +707,10 @@ return -EINVAL; /* Separate the per-mountpoint flags */ - if (flags & MS_NOSUID) + if (flags & MS_NOSUID) { mnt_flags |= MNT_NOSUID; + flags |= MS_SECURE_LINK; + } if (flags & MS_NODEV) mnt_flags |= MNT_NODEV; if (flags & MS_NOEXEC) --- 2.4.19-pre5-ac3/fs/namei.c.link Sat Apr 13 18:06:21 2002 +++ 2.4.19-pre5-ac3/fs/namei.c Sat Apr 13 18:12:11 2002 @@ -1614,6 +1614,11 @@ error = -EPERM; if (IS_APPEND(inode) || IS_IMMUTABLE(inode)) goto exit_lock; + if (IS_SECURE_LINK(inode) && (!capable(CAP_FOWNER) && + current->fsuid != inode->i_uid && + (current->fsgid != inode->i_gid || + !(inode->i_mode & S_IWGRP)))) + goto exit_lock; if (!dir->i_op || !dir->i_op->link) goto exit_lock; --- 2.4.19-pre5-ac3/include/linux/fs.h.link Sat Apr 13 18:06:21 2002 +++ 2.4.19-pre5-ac3/include/linux/fs.h Sat Apr 13 18:15:38 2002 @@ -111,6 +111,7 @@ #define MS_MOVE 8192 #define MS_REC 16384 #define MS_VERBOSE 32768 +#define MS_SECURE_LINK 65536 #define MS_ACTIVE (1<<30) #define MS_NOUSER (1<<31) @@ -118,7 +119,7 @@ * Superblock flags that can be altered by MS_REMOUNT */ #define MS_RMT_MASK (MS_RDONLY|MS_SYNCHRONOUS|MS_MANDLOCK|MS_NOATIME|\ - MS_NODIRATIME) + MS_NODIRATIME|MS_SECURE_LINK) /* * Old magic mount flag and mask @@ -161,6 +162,7 @@ #define IS_IMMUTABLE(inode) ((inode)->i_flags & S_IMMUTABLE) #define IS_NOATIME(inode) (__IS_FLG(inode, MS_NOATIME) || ((inode)->i_flags & S_NOATIME)) #define IS_NODIRATIME(inode) __IS_FLG(inode, MS_NODIRATIME) +#define IS_SECURE_LINK(inode) __IS_FLG(inode, MS_SECURE_LINK) #define IS_DEADDIR(inode) ((inode)->i_flags & S_DEAD) - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/