On Wed, Oct 19, 2016, at 07:28 AM, Mattias Nissler wrote:
>
> Note that O_NOFOLLOW only affects the final path component. If there's
> a symlink in any of the parent directories, that'll still be traversed
> even with O_NOFOLLOW. This situation is less risky as an attacker will
> have to deal
On Wed, Oct 19, 2016, at 07:28 AM, Mattias Nissler wrote:
>
> Note that O_NOFOLLOW only affects the final path component. If there's
> a symlink in any of the parent directories, that'll still be traversed
> even with O_NOFOLLOW. This situation is less risky as an attacker will
> have to deal
On Tue, Oct 18, 2016 at 5:14 PM, Colin Walters wrote:
>
> On Mon, Oct 17, 2016, at 09:02 AM, Mattias Nissler wrote:
> > OK, no more feedback thus far. Is there generally any interest in a
> > mount option to avoid path name aliasing resulting in target file
> > confusion?
On Tue, Oct 18, 2016 at 5:14 PM, Colin Walters wrote:
>
> On Mon, Oct 17, 2016, at 09:02 AM, Mattias Nissler wrote:
> > OK, no more feedback thus far. Is there generally any interest in a
> > mount option to avoid path name aliasing resulting in target file
> > confusion? Perhaps a version that
On Mon, Oct 17, 2016, at 09:02 AM, Mattias Nissler wrote:
> OK, no more feedback thus far. Is there generally any interest in a
> mount option to avoid path name aliasing resulting in target file
> confusion? Perhaps a version that only disables symlinks instead of
> also hard-disabling files
On Mon, Oct 17, 2016, at 09:02 AM, Mattias Nissler wrote:
> OK, no more feedback thus far. Is there generally any interest in a
> mount option to avoid path name aliasing resulting in target file
> confusion? Perhaps a version that only disables symlinks instead of
> also hard-disabling files
On 2016-10-17 09:02, Mattias Nissler wrote:
OK, no more feedback thus far. Is there generally any interest in a
mount option to avoid path name aliasing resulting in target file
confusion? Perhaps a version that only disables symlinks instead of
also hard-disabling files hard-linked to multiple
On 2016-10-17 09:02, Mattias Nissler wrote:
OK, no more feedback thus far. Is there generally any interest in a
mount option to avoid path name aliasing resulting in target file
confusion? Perhaps a version that only disables symlinks instead of
also hard-disabling files hard-linked to multiple
OK, no more feedback thus far. Is there generally any interest in a
mount option to avoid path name aliasing resulting in target file
confusion? Perhaps a version that only disables symlinks instead of
also hard-disabling files hard-linked to multiple locations (those are
much lower risk for the
OK, no more feedback thus far. Is there generally any interest in a
mount option to avoid path name aliasing resulting in target file
confusion? Perhaps a version that only disables symlinks instead of
also hard-disabling files hard-linked to multiple locations (those are
much lower risk for the
Forgot to mention: I realize my motivation is very specific to Chrome
OS, however the nolinks option seemed useful also as a mitigation to
generic privilege escalation symlink attacks, for cases where
disabling symlinks/hardlinks is acceptable.
On Fri, Oct 14, 2016 at 5:50 PM, Mattias Nissler
Forgot to mention: I realize my motivation is very specific to Chrome
OS, however the nolinks option seemed useful also as a mitigation to
generic privilege escalation symlink attacks, for cases where
disabling symlinks/hardlinks is acceptable.
On Fri, Oct 14, 2016 at 5:50 PM, Mattias Nissler
On Fri, Oct 14, 2016 at 5:00 PM, Al Viro wrote:
>
> On Fri, Oct 14, 2016 at 03:55:15PM +0100, Al Viro wrote:
> > > Setting the "nolinks" mount option helps prevent privileged writers
> > > from modifying files unintentionally in case there is an unexpected
> > > link
On Fri, Oct 14, 2016 at 5:00 PM, Al Viro wrote:
>
> On Fri, Oct 14, 2016 at 03:55:15PM +0100, Al Viro wrote:
> > > Setting the "nolinks" mount option helps prevent privileged writers
> > > from modifying files unintentionally in case there is an unexpected
> > > link along the accessed path. The
On Fri, Oct 14, 2016 at 03:55:15PM +0100, Al Viro wrote:
> > Setting the "nolinks" mount option helps prevent privileged writers
> > from modifying files unintentionally in case there is an unexpected
> > link along the accessed path. The "nolinks" option is thus useful as a
> > defensive measure
On Fri, Oct 14, 2016 at 03:55:15PM +0100, Al Viro wrote:
> > Setting the "nolinks" mount option helps prevent privileged writers
> > from modifying files unintentionally in case there is an unexpected
> > link along the accessed path. The "nolinks" option is thus useful as a
> > defensive measure
On Fri, Oct 14, 2016 at 04:28:25PM +0200, Mattias Nissler wrote:
> For mounts that have the new "nolinks" option, don't follow symlinks
> and reject to open files with a hard link count larger than one. The
> new option is similar in spirit to the existing "nodev", "noexec", and
> "nosuid"
On Fri, Oct 14, 2016 at 04:28:25PM +0200, Mattias Nissler wrote:
> For mounts that have the new "nolinks" option, don't follow symlinks
> and reject to open files with a hard link count larger than one. The
> new option is similar in spirit to the existing "nodev", "noexec", and
> "nosuid"
18 matches
Mail list logo