Joe Krahn:
> OK, I was thinking that pseudo-links are more like special symlinks.
> Isn't the problem that there some sort of "place holder" in the
> directory, the same as a symlink, whose filename is based on the inode?
It might be better to use a case study to explain the security issue of
mode 0711 of the internal pseudo-link dir.
- you have some private files and you don't want to expose them to
others.
- you collect the files under a dir named PrivateDir, and set the mode
0700 to the dir.
- but the mode of the files under the dir is still 0644.
-rwx------ 1 user user 1382 Oct 27 17:57 PrivateDir
-rw-r--r-- 1 user user 1382 Oct 27 17:57 PrivateDir/fileA
-rw-r--r-- 1 user user 1382 Oct 27 17:57 PrivateDir/fileB
- in this case, no one can read your secret file even its mode allows
others to read.
- if the mode of PrivateDir was 0711 instead of 0700 and if someone else
could know your filename, then he can read your secret files. because
0711 allows others to lookup and 0644 allows others to read.
The note which I described in the aufs manual is a warning of this case.
----------------------------------------------------------------------
:::
For example, when you have a directory whose permission flags
are 0700, and a file who is 0644 under the 0700 directory. Usually,
all files under the 0700 directory are private and no one else can see
the file. But when the directory is 0711 and someone else knows the 0644
filename, he can read the file.
Basically, aufs pseudo-link feature creates a temporary link under the
directory whose owner is root and the permission flags are 0700.
But when the writable branch is NFS, aufs sets 0711 to the directory.
When the 0644 file is pseudo-linked, the temporary link, of course the
contents of the file is totally equivalent, will be created under the
0711 directory. The filename will be generated by its inode number.
While it is hard to know the generated filename, someone else may try peeping
the temporary pseudo-linked file by his software tool which may try the name
from one to MAX_INT or something.
In this case, the 0644 file will be read unexpectedly.
I am afraid that leaving the temporary pseudo-links can be a security hole.
:::
----------------------------------------------------------------------
Of course, if the mode of the secret files is 0600 instead of 0644, then
no one can read the files even if the mode of the dir is 0711.
Do I make my clear?
If my poor English makes you misunderstood again, please ask me again.
I will try explaining again.
J. R. Okajima
------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
