Re: [RFC] [PATCH] Add a "nolinks" mount option.

On Wed, Oct 19, 2016, at 07:28 AM, Mattias Nissler wrote: > > Note that O_NOFOLLOW only affects the final path component. If there's > a symlink in any of the parent directories, that'll still be traversed > even with O_NOFOLLOW. This situation is less risky as an attacker will > have to deal

Re: [RFC] [PATCH] Add a "nolinks" mount option.

On Wed, Oct 19, 2016, at 07:28 AM, Mattias Nissler wrote: > > Note that O_NOFOLLOW only affects the final path component. If there's > a symlink in any of the parent directories, that'll still be traversed > even with O_NOFOLLOW. This situation is less risky as an attacker will > have to deal

Re: [RFC] [PATCH] Add a "nolinks" mount option.

On Tue, Oct 18, 2016 at 5:14 PM, Colin Walters wrote: > > On Mon, Oct 17, 2016, at 09:02 AM, Mattias Nissler wrote: > > OK, no more feedback thus far. Is there generally any interest in a > > mount option to avoid path name aliasing resulting in target file > > confusion?

Re: [RFC] [PATCH] Add a "nolinks" mount option.

On Tue, Oct 18, 2016 at 5:14 PM, Colin Walters wrote: > > On Mon, Oct 17, 2016, at 09:02 AM, Mattias Nissler wrote: > > OK, no more feedback thus far. Is there generally any interest in a > > mount option to avoid path name aliasing resulting in target file > > confusion? Perhaps a version that

Re: [RFC] [PATCH] Add a "nolinks" mount option.

On Mon, Oct 17, 2016, at 09:02 AM, Mattias Nissler wrote: > OK, no more feedback thus far. Is there generally any interest in a > mount option to avoid path name aliasing resulting in target file > confusion? Perhaps a version that only disables symlinks instead of > also hard-disabling files

Re: [RFC] [PATCH] Add a "nolinks" mount option.

On Mon, Oct 17, 2016, at 09:02 AM, Mattias Nissler wrote: > OK, no more feedback thus far. Is there generally any interest in a > mount option to avoid path name aliasing resulting in target file > confusion? Perhaps a version that only disables symlinks instead of > also hard-disabling files

Re: [RFC] [PATCH] Add a "nolinks" mount option.

On 2016-10-17 09:02, Mattias Nissler wrote: OK, no more feedback thus far. Is there generally any interest in a mount option to avoid path name aliasing resulting in target file confusion? Perhaps a version that only disables symlinks instead of also hard-disabling files hard-linked to multiple

Re: [RFC] [PATCH] Add a "nolinks" mount option.

On 2016-10-17 09:02, Mattias Nissler wrote: OK, no more feedback thus far. Is there generally any interest in a mount option to avoid path name aliasing resulting in target file confusion? Perhaps a version that only disables symlinks instead of also hard-disabling files hard-linked to multiple

Re: [RFC] [PATCH] Add a "nolinks" mount option.

OK, no more feedback thus far. Is there generally any interest in a mount option to avoid path name aliasing resulting in target file confusion? Perhaps a version that only disables symlinks instead of also hard-disabling files hard-linked to multiple locations (those are much lower risk for the

Re: [RFC] [PATCH] Add a "nolinks" mount option.

OK, no more feedback thus far. Is there generally any interest in a mount option to avoid path name aliasing resulting in target file confusion? Perhaps a version that only disables symlinks instead of also hard-disabling files hard-linked to multiple locations (those are much lower risk for the

Re: [RFC] [PATCH] Add a "nolinks" mount option.

Forgot to mention: I realize my motivation is very specific to Chrome OS, however the nolinks option seemed useful also as a mitigation to generic privilege escalation symlink attacks, for cases where disabling symlinks/hardlinks is acceptable. On Fri, Oct 14, 2016 at 5:50 PM, Mattias Nissler

Re: [RFC] [PATCH] Add a "nolinks" mount option.

Forgot to mention: I realize my motivation is very specific to Chrome OS, however the nolinks option seemed useful also as a mitigation to generic privilege escalation symlink attacks, for cases where disabling symlinks/hardlinks is acceptable. On Fri, Oct 14, 2016 at 5:50 PM, Mattias Nissler

Re: [RFC] [PATCH] Add a "nolinks" mount option.

On Fri, Oct 14, 2016 at 5:00 PM, Al Viro wrote: > > On Fri, Oct 14, 2016 at 03:55:15PM +0100, Al Viro wrote: > > > Setting the "nolinks" mount option helps prevent privileged writers > > > from modifying files unintentionally in case there is an unexpected > > > link

Re: [RFC] [PATCH] Add a "nolinks" mount option.

On Fri, Oct 14, 2016 at 5:00 PM, Al Viro wrote: > > On Fri, Oct 14, 2016 at 03:55:15PM +0100, Al Viro wrote: > > > Setting the "nolinks" mount option helps prevent privileged writers > > > from modifying files unintentionally in case there is an unexpected > > > link along the accessed path. The

Re: [RFC] [PATCH] Add a "nolinks" mount option.

On Fri, Oct 14, 2016 at 03:55:15PM +0100, Al Viro wrote: > > Setting the "nolinks" mount option helps prevent privileged writers > > from modifying files unintentionally in case there is an unexpected > > link along the accessed path. The "nolinks" option is thus useful as a > > defensive measure

Re: [RFC] [PATCH] Add a "nolinks" mount option.

On Fri, Oct 14, 2016 at 03:55:15PM +0100, Al Viro wrote: > > Setting the "nolinks" mount option helps prevent privileged writers > > from modifying files unintentionally in case there is an unexpected > > link along the accessed path. The "nolinks" option is thus useful as a > > defensive measure

Re: [RFC] [PATCH] Add a "nolinks" mount option.

On Fri, Oct 14, 2016 at 04:28:25PM +0200, Mattias Nissler wrote: > For mounts that have the new "nolinks" option, don't follow symlinks > and reject to open files with a hard link count larger than one. The > new option is similar in spirit to the existing "nodev", "noexec", and > "nosuid"

Re: [RFC] [PATCH] Add a "nolinks" mount option.

On Fri, Oct 14, 2016 at 04:28:25PM +0200, Mattias Nissler wrote: > For mounts that have the new "nolinks" option, don't follow symlinks > and reject to open files with a hard link count larger than one. The > new option is similar in spirit to the existing "nodev", "noexec", and > "nosuid"