On Tue, Mar 26, 2002 at 10:23:08AM +0100, Oystein Viggen wrote: > Hi > > I was wondering: If a user attaches a translator to a node in "/tmp" that > shows, say, "/etc", "/sbin", "/", or something else, and root runs "rm > -Rf /tmp", what will happen?
You are not creating a full scenario here, "to show" is not a filesystem concept in the Hurd, so I can only guess what you mean. However, you are right that there is such a condition. If you firmlink a directory, rm will traverse into this directory. As root: mkdir test touch test/foo As user: settrans -ac test2 /hurd/firmlink test As root: rm -fR test2 And test/foo will be gone. Note that in the tmpreaper function in libexec/rc, we are carefully removing translators first. Note that if you open node with O_NOFOLLOW, translators will not be followed, so some of such attacks are stopped by this. However, rm is not suspecting that a directory could be anything that it shouldn't follow. > Will it be: > 1. rm sees a directory, recurses, and deletes a lot of important files? > 2. rm sees a directory and recurses, but because the translator is > running as, say, oysteivi, the ports provided won't give access to > actually delete stuff oysteivi couldn't delete himself? or If you use a firmlink, the translator will redirect the user to the other node, and the user will open it himself (retry). This is why the permissions are there. scenario 2 can also happen, if the translator lookups the nodes himself. This is important because if you lookup a node in a translator, and you don't retry blindly, you can be sure everything is ok permission wise. (eg, O_NOTRANS does the right thing). > 3. rm sees a translator not owned by any id possessed by the current rm > process, tries to remove the translator and go on? rm is not translator aware. > I'm a bit unclear on the port auth stuff, so I'm not sure if 2. is > likely, but if 1. happens, there is a lot of work to do on rm, > tmpwatch/tmpreaper, and mv. (I guess this is they don't allow directory > hardlinks in Unix...) Seems so. You definitely have to be much more careful with rm -r in a space you don't own. > Can anybody provide any advice on how to best add such translator > support to user space programs? We will need to discuss the details here. In general, translators should be transparent except whena special option is given. For rm -r, I am not so sure. > Is putting the important code inside > "#ifdef _HURD_" or somesuch advisable? (do we even have such a #define > to lean on?) We have __GNU__, don't use it. Write an autoconf check. For the features you need. Thanks, Marcus _______________________________________________ Help-hurd mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/help-hurd
