]> git.karo-electronics.de Git - karo-tx-linux.git/commit
projects / karo-tx-linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 122bfce) | patch
fs: hardlink creation restrictions
authorKees Cook <keescook@chromium.org>
Thu, 12 Apr 2012 22:51:55 +0000 (08:51 +1000)
committerStephen Rothwell <sfr@canb.auug.org.au>
Tue, 17 Apr 2012 03:47:16 +0000 (13:47 +1000)
commitb788d2ae4a0a898c7a4661256f62bf7d30da2deb
tree501a02caf295f237c92705cce4523cb55ec9a213tree | snapshot
parent122bfced80e61ac2b6fd6805ee5a86cedd4e8731commit | diff
fs: hardlink creation restrictions

On systems that have user-writable directories on the same partition as
system files, a long-standing class of security issues is the
hardlink-based time-of-check-time-of-use race, most commonly seen in
world-writable directories like /tmp.  The common method of exploitation
of this flaw is to cross privilege boundaries when following a given
hardlink (i.e.  a root process follows a hardlink created by another
user).  Additionally, an issue exists where users can "pin" a potentially
vulnerable setuid/setgid file so that an administrator will not actually
upgrade a system fully.

The solution is to permit hardlinks to only be created when the user is
already the existing file's owner, or if they already have read/write
access to the existing file.

Many Linux users are surprised when they learn they can link to files they
have no access to, so this change appears to follow the doctrine of "least
surprise".  Additionally, this change does not violate POSIX, which states
"the implementation may require that the calling process has permission to
access the existing file"[1].

This change is known to break some implementations of the "at" daemon,
though the version used by Fedora and Ubuntu has been fixed[2] for a
while.  Otherwise, the change has been undisruptive while in use in Ubuntu
for the last 1.5 years.

This patch is based on the patch in Openwall and grsecurity.  I have added
a sysctl to enable the protected behavior, documentation, and an audit
notification.

[1] http://pubs.opengroup.org/onlinepubs/9699919799/functions/linkat.html
[2] http://anonscm.debian.org/gitweb/?p=collab-maint/at.git;a=commitdiff;h=f4114656c3a6c6f6070e315ffdf940a49eda3279

[akpm@linux-foundation.org: uninline may_linkat() and audit_log_link_denied()]
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Ingo Molnar <mingo@elte.hu>
Cc: Matthew Wilcox <matthew@wil.cx>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Rik van Riel <riel@redhat.com>
Cc: Federica Teodori <federica.teodori@googlemail.com>
Cc: Lucian Adrian Grijincu <lucian.grijincu@gmail.com>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Eric Paris <eparis@redhat.com>
Cc: Randy Dunlap <rdunlap@xenotime.net>
Cc: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Documentation/sysctl/fs.txt diff | blob | history
fs/Kconfig diff | blob | history
fs/namei.c diff | blob | history
include/linux/fs.h diff | blob | history
kernel/sysctl.c diff | blob | history
Linux kernel for KaRo TX COM modules