Re: [RFC] [PATCH] Add a "nolinks" mount option.

2016-10-19 Thread Colin Walters
On Wed, Oct 19, 2016, at 07:28 AM, Mattias Nissler wrote: > > Note that O_NOFOLLOW only affects the final path component. If there's > a symlink in any of the parent directories, that'll still be traversed > even with O_NOFOLLOW. This situation is less risky as an attacker will > have to deal

Re: [RFC] [PATCH] Add a "nolinks" mount option.

2016-10-19 Thread Colin Walters
On Wed, Oct 19, 2016, at 07:28 AM, Mattias Nissler wrote: > > Note that O_NOFOLLOW only affects the final path component. If there's > a symlink in any of the parent directories, that'll still be traversed > even with O_NOFOLLOW. This situation is less risky as an attacker will > have to deal

Re: [RFC] [PATCH] Add a "nolinks" mount option.

2016-10-19 Thread Mattias Nissler
On Tue, Oct 18, 2016 at 5:14 PM, Colin Walters wrote: > > On Mon, Oct 17, 2016, at 09:02 AM, Mattias Nissler wrote: > > OK, no more feedback thus far. Is there generally any interest in a > > mount option to avoid path name aliasing resulting in target file > > confusion?

Re: [RFC] [PATCH] Add a "nolinks" mount option.

2016-10-19 Thread Mattias Nissler
On Tue, Oct 18, 2016 at 5:14 PM, Colin Walters wrote: > > On Mon, Oct 17, 2016, at 09:02 AM, Mattias Nissler wrote: > > OK, no more feedback thus far. Is there generally any interest in a > > mount option to avoid path name aliasing resulting in target file > > confusion? Perhaps a version that

Re: [RFC] [PATCH] Add a "nolinks" mount option.

2016-10-18 Thread Colin Walters
On Mon, Oct 17, 2016, at 09:02 AM, Mattias Nissler wrote: > OK, no more feedback thus far. Is there generally any interest in a > mount option to avoid path name aliasing resulting in target file > confusion? Perhaps a version that only disables symlinks instead of > also hard-disabling files

Re: [RFC] [PATCH] Add a "nolinks" mount option.

2016-10-18 Thread Colin Walters
On Mon, Oct 17, 2016, at 09:02 AM, Mattias Nissler wrote: > OK, no more feedback thus far. Is there generally any interest in a > mount option to avoid path name aliasing resulting in target file > confusion? Perhaps a version that only disables symlinks instead of > also hard-disabling files

Re: [RFC] [PATCH] Add a "nolinks" mount option.

2016-10-17 Thread Austin S. Hemmelgarn
On 2016-10-17 09:02, Mattias Nissler wrote: OK, no more feedback thus far. Is there generally any interest in a mount option to avoid path name aliasing resulting in target file confusion? Perhaps a version that only disables symlinks instead of also hard-disabling files hard-linked to multiple

Re: [RFC] [PATCH] Add a "nolinks" mount option.

2016-10-17 Thread Austin S. Hemmelgarn
On 2016-10-17 09:02, Mattias Nissler wrote: OK, no more feedback thus far. Is there generally any interest in a mount option to avoid path name aliasing resulting in target file confusion? Perhaps a version that only disables symlinks instead of also hard-disabling files hard-linked to multiple

Re: [RFC] [PATCH] Add a "nolinks" mount option.

2016-10-17 Thread Mattias Nissler
OK, no more feedback thus far. Is there generally any interest in a mount option to avoid path name aliasing resulting in target file confusion? Perhaps a version that only disables symlinks instead of also hard-disabling files hard-linked to multiple locations (those are much lower risk for the

Re: [RFC] [PATCH] Add a "nolinks" mount option.

2016-10-17 Thread Mattias Nissler
OK, no more feedback thus far. Is there generally any interest in a mount option to avoid path name aliasing resulting in target file confusion? Perhaps a version that only disables symlinks instead of also hard-disabling files hard-linked to multiple locations (those are much lower risk for the

Re: [RFC] [PATCH] Add a "nolinks" mount option.

2016-10-14 Thread Mattias Nissler
Forgot to mention: I realize my motivation is very specific to Chrome OS, however the nolinks option seemed useful also as a mitigation to generic privilege escalation symlink attacks, for cases where disabling symlinks/hardlinks is acceptable. On Fri, Oct 14, 2016 at 5:50 PM, Mattias Nissler

Re: [RFC] [PATCH] Add a "nolinks" mount option.

2016-10-14 Thread Mattias Nissler
Forgot to mention: I realize my motivation is very specific to Chrome OS, however the nolinks option seemed useful also as a mitigation to generic privilege escalation symlink attacks, for cases where disabling symlinks/hardlinks is acceptable. On Fri, Oct 14, 2016 at 5:50 PM, Mattias Nissler

Re: [RFC] [PATCH] Add a "nolinks" mount option.

2016-10-14 Thread Mattias Nissler
On Fri, Oct 14, 2016 at 5:00 PM, Al Viro wrote: > > On Fri, Oct 14, 2016 at 03:55:15PM +0100, Al Viro wrote: > > > Setting the "nolinks" mount option helps prevent privileged writers > > > from modifying files unintentionally in case there is an unexpected > > > link

Re: [RFC] [PATCH] Add a "nolinks" mount option.

2016-10-14 Thread Mattias Nissler
On Fri, Oct 14, 2016 at 5:00 PM, Al Viro wrote: > > On Fri, Oct 14, 2016 at 03:55:15PM +0100, Al Viro wrote: > > > Setting the "nolinks" mount option helps prevent privileged writers > > > from modifying files unintentionally in case there is an unexpected > > > link along the accessed path. The

Re: [RFC] [PATCH] Add a "nolinks" mount option.

2016-10-14 Thread Al Viro
On Fri, Oct 14, 2016 at 03:55:15PM +0100, Al Viro wrote: > > Setting the "nolinks" mount option helps prevent privileged writers > > from modifying files unintentionally in case there is an unexpected > > link along the accessed path. The "nolinks" option is thus useful as a > > defensive measure

Re: [RFC] [PATCH] Add a "nolinks" mount option.

2016-10-14 Thread Al Viro
On Fri, Oct 14, 2016 at 03:55:15PM +0100, Al Viro wrote: > > Setting the "nolinks" mount option helps prevent privileged writers > > from modifying files unintentionally in case there is an unexpected > > link along the accessed path. The "nolinks" option is thus useful as a > > defensive measure

Re: [RFC] [PATCH] Add a "nolinks" mount option.

2016-10-14 Thread Al Viro
On Fri, Oct 14, 2016 at 04:28:25PM +0200, Mattias Nissler wrote: > For mounts that have the new "nolinks" option, don't follow symlinks > and reject to open files with a hard link count larger than one. The > new option is similar in spirit to the existing "nodev", "noexec", and > "nosuid"

Re: [RFC] [PATCH] Add a "nolinks" mount option.

2016-10-14 Thread Al Viro
On Fri, Oct 14, 2016 at 04:28:25PM +0200, Mattias Nissler wrote: > For mounts that have the new "nolinks" option, don't follow symlinks > and reject to open files with a hard link count larger than one. The > new option is similar in spirit to the existing "nodev", "noexec", and > "nosuid"

[RFC] [PATCH] Add a "nolinks" mount option.

2016-10-14 Thread Mattias Nissler
For mounts that have the new "nolinks" option, don't follow symlinks and reject to open files with a hard link count larger than one. The new option is similar in spirit to the existing "nodev", "noexec", and "nosuid" options. Note that symlinks and hard links may still be created on mounts where

[RFC] [PATCH] Add a "nolinks" mount option.

2016-10-14 Thread Mattias Nissler
For mounts that have the new "nolinks" option, don't follow symlinks and reject to open files with a hard link count larger than one. The new option is similar in spirit to the existing "nodev", "noexec", and "nosuid" options. Note that symlinks and hard links may still be created on mounts where