On Wed, Oct 19, 2016, at 07:28 AM, Mattias Nissler wrote:
>
> Note that O_NOFOLLOW only affects the final path component. If there's
> a symlink in any of the parent directories, that'll still be traversed
> even with O_NOFOLLOW. This situation is less risky as an attacker will
> have to deal
On Wed, Oct 19, 2016, at 07:28 AM, Mattias Nissler wrote:
>
> Note that O_NOFOLLOW only affects the final path component. If there's
> a symlink in any of the parent directories, that'll still be traversed
> even with O_NOFOLLOW. This situation is less risky as an attacker will
> have to deal
On Tue, Oct 18, 2016 at 5:14 PM, Colin Walters wrote:
>
> On Mon, Oct 17, 2016, at 09:02 AM, Mattias Nissler wrote:
> > OK, no more feedback thus far. Is there generally any interest in a
> > mount option to avoid path name aliasing resulting in target file
> > confusion?
On Tue, Oct 18, 2016 at 5:14 PM, Colin Walters wrote:
>
> On Mon, Oct 17, 2016, at 09:02 AM, Mattias Nissler wrote:
> > OK, no more feedback thus far. Is there generally any interest in a
> > mount option to avoid path name aliasing resulting in target file
> > confusion? Perhaps a version that
On Mon, Oct 17, 2016, at 09:02 AM, Mattias Nissler wrote:
> OK, no more feedback thus far. Is there generally any interest in a
> mount option to avoid path name aliasing resulting in target file
> confusion? Perhaps a version that only disables symlinks instead of
> also hard-disabling files
On Mon, Oct 17, 2016, at 09:02 AM, Mattias Nissler wrote:
> OK, no more feedback thus far. Is there generally any interest in a
> mount option to avoid path name aliasing resulting in target file
> confusion? Perhaps a version that only disables symlinks instead of
> also hard-disabling files
On 2016-10-17 09:02, Mattias Nissler wrote:
OK, no more feedback thus far. Is there generally any interest in a
mount option to avoid path name aliasing resulting in target file
confusion? Perhaps a version that only disables symlinks instead of
also hard-disabling files hard-linked to multiple
On 2016-10-17 09:02, Mattias Nissler wrote:
OK, no more feedback thus far. Is there generally any interest in a
mount option to avoid path name aliasing resulting in target file
confusion? Perhaps a version that only disables symlinks instead of
also hard-disabling files hard-linked to multiple
OK, no more feedback thus far. Is there generally any interest in a
mount option to avoid path name aliasing resulting in target file
confusion? Perhaps a version that only disables symlinks instead of
also hard-disabling files hard-linked to multiple locations (those are
much lower risk for the
OK, no more feedback thus far. Is there generally any interest in a
mount option to avoid path name aliasing resulting in target file
confusion? Perhaps a version that only disables symlinks instead of
also hard-disabling files hard-linked to multiple locations (those are
much lower risk for the
Forgot to mention: I realize my motivation is very specific to Chrome
OS, however the nolinks option seemed useful also as a mitigation to
generic privilege escalation symlink attacks, for cases where
disabling symlinks/hardlinks is acceptable.
On Fri, Oct 14, 2016 at 5:50 PM, Mattias Nissler
Forgot to mention: I realize my motivation is very specific to Chrome
OS, however the nolinks option seemed useful also as a mitigation to
generic privilege escalation symlink attacks, for cases where
disabling symlinks/hardlinks is acceptable.
On Fri, Oct 14, 2016 at 5:50 PM, Mattias Nissler
On Fri, Oct 14, 2016 at 5:00 PM, Al Viro wrote:
>
> On Fri, Oct 14, 2016 at 03:55:15PM +0100, Al Viro wrote:
> > > Setting the "nolinks" mount option helps prevent privileged writers
> > > from modifying files unintentionally in case there is an unexpected
> > > link
On Fri, Oct 14, 2016 at 5:00 PM, Al Viro wrote:
>
> On Fri, Oct 14, 2016 at 03:55:15PM +0100, Al Viro wrote:
> > > Setting the "nolinks" mount option helps prevent privileged writers
> > > from modifying files unintentionally in case there is an unexpected
> > > link along the accessed path. The
On Fri, Oct 14, 2016 at 03:55:15PM +0100, Al Viro wrote:
> > Setting the "nolinks" mount option helps prevent privileged writers
> > from modifying files unintentionally in case there is an unexpected
> > link along the accessed path. The "nolinks" option is thus useful as a
> > defensive measure
On Fri, Oct 14, 2016 at 03:55:15PM +0100, Al Viro wrote:
> > Setting the "nolinks" mount option helps prevent privileged writers
> > from modifying files unintentionally in case there is an unexpected
> > link along the accessed path. The "nolinks" option is thus useful as a
> > defensive measure
On Fri, Oct 14, 2016 at 04:28:25PM +0200, Mattias Nissler wrote:
> For mounts that have the new "nolinks" option, don't follow symlinks
> and reject to open files with a hard link count larger than one. The
> new option is similar in spirit to the existing "nodev", "noexec", and
> "nosuid"
On Fri, Oct 14, 2016 at 04:28:25PM +0200, Mattias Nissler wrote:
> For mounts that have the new "nolinks" option, don't follow symlinks
> and reject to open files with a hard link count larger than one. The
> new option is similar in spirit to the existing "nodev", "noexec", and
> "nosuid"
For mounts that have the new "nolinks" option, don't follow symlinks
and reject to open files with a hard link count larger than one. The
new option is similar in spirit to the existing "nodev", "noexec", and
"nosuid" options.
Note that symlinks and hard links may still be created on mounts where
For mounts that have the new "nolinks" option, don't follow symlinks
and reject to open files with a hard link count larger than one. The
new option is similar in spirit to the existing "nodev", "noexec", and
"nosuid" options.
Note that symlinks and hard links may still be created on mounts where
20 matches
Mail list logo