fs: add link restrictions

This adds symlink and hardlink restrictions to the Linux VFS. Symlinks: A long-standing class of security issues is the symlink-based time-of-check-time-of-use race, most commonly seen in world-writable directories like /tmp. The common method of exploitation of this flaw is to cross privilege boundaries when following a given symlink (i.e. a root process follows a symlink belonging to another user). For a likely incomplete list of hundreds of examples across the years, please see: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp The solution is to permit symlinks to only be followed when outside a sticky world-writable directory, or when the uid of the symlink and follower match, or when the directory owner matches the symlink's owner. Some pointers to the history of earlier discussion that I could find: 1996 Aug, Zygo Blaxell http://marc.info/?l=bugtraq&m=87602167419830&w=2 1996 Oct, Andrew Tridgell http://lkml.indiana.edu/hypermail/linux/kernel/9610.2/0086.html 1997 Dec, Albert D Cahalan http://lkml.org/lkml/1997/12/16/4 2005 Feb, Lorenzo Hernández García-Hierro http://lkml.indiana.edu/hypermail/linux/kernel/0502.0/1896.html 2010 May, Kees Cook https://lkml.org/lkml/2010/5/30/144 Past objections and rebuttals could be summarized as: - Violates POSIX. - POSIX didn't consider this situation and it's not useful to follow a broken specification at the cost of security. - Might break unknown applications that use this feature. - Applications that break because of the change are easy to spot and fix. Applications that are vulnerable to symlink ToCToU by not having the change aren't. Additionally, no applications have yet been found that rely on this behavior. - Applications should just use mkstemp() or O_CREATE|O_EXCL. - True, but applications are not perfect, and new software is written all the time that makes these mistakes; blocking this flaw at the kernel is a single solution to the entire class of vulnerability. - This should live in the core VFS. - This should live in an LSM. (https://lkml.org/lkml/2010/5/31/135) - This should live in an LSM. - This should live in the core VFS. (https://lkml.org/lkml/2010/8/2/188) Hardlinks: On systems that have user-writable directories on the same partition as system files, a long-standing class of security issues is the hardlink-based time-of-check-time-of-use race, most commonly seen in world-writable directories like /tmp. The common method of exploitation of this flaw is to cross privilege boundaries when following a given hardlink (i.e. a root process follows a hardlink created by another user). Additionally, an issue exists where users can "pin" a potentially vulnerable setuid/setgid file so that an administrator will not actually upgrade a system fully. The solution is to permit hardlinks to only be created when the user is already the existing file's owner, or if they already have read/write access to the existing file. Many Linux users are surprised when they learn they can link to files they have no access to, so this change appears to follow the doctrine of "least surprise". Additionally, this change does not violate POSIX, which states "the implementation may require that the calling process has permission to access the existing file"[1]. This change is known to break some implementations of the "at" daemon, though the version used by Fedora and Ubuntu has been fixed[2] for a while. Otherwise, the change has been undisruptive while in use in Ubuntu for the last 1.5 years. [1] http://pubs.opengroup.org/onlinepubs/9699919799/functions/linkat.html [2] http://anonscm.debian.org/gitweb/?p=collab-maint/at.git;a=commitdiff;h=f4114656c3a6c6f6070e315ffdf940a49eda3279 This patch is based on the patches in Openwall and grsecurity, along with suggestions from Al Viro. I have added a sysctl to enable the protected behavior, and documentation. Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
author: Kees Cook <keescook@chromium.org> 2012-07-25 20:29:07 -0400
committer: Al Viro <viro@zeniv.linux.org.uk> 2012-07-29 13:37:58 -0400
commit: 800179c9b8a1e796e441674776d11cd4c05d61d7 (patch)
tree: 5760992f4453c35b57b2686d8b8d5caee239b637 /Documentation/sysctl
parent: 3134f37e931d75931bdf6d4eacd82a3fd26eca7c (diff)
1 files changed, 42 insertions, 0 deletions
diff --git a/Documentation/sysctl/fs.txt b/Documentation/sysctl/fs.txt
index 13d6166d7a27..d4a372e75750 100644
--- a/Documentation/sysctl/fs.txt
+++ b/Documentation/sysctl/fs.txt
@@ -32,6 +32,8 @@ Currently, these files are in /proc/sys/fs:
 - nr_open
 - overflowuid
 - overflowgid
+- protected_hardlinks
+- protected_symlinks
 - suid_dumpable
 - super-max
 - super-nr
@@ -157,6 +159,46 @@ The default is 65534.
 ==============================================================
+protected_hardlinks:
+A long-standing class of security issues is the hardlink-based
+time-of-check-time-of-use race, most commonly seen in world-writable
+directories like /tmp. The common method of exploitation of this flaw
+is to cross privilege boundaries when following a given hardlink (i.e. a
+root process follows a hardlink created by another user). Additionally,
+on systems without separated partitions, this stops unauthorized users
+from "pinning" vulnerable setuid/setgid files against being upgraded by
+the administrator, or linking to special files.
+When set to "0", hardlink creation behavior is unrestricted.
+When set to "1" hardlinks cannot be created by users if they do not
+already own the source file, or do not have read/write access to it.
+This protection is based on the restrictions in Openwall and grsecurity.
+==============================================================
+protected_symlinks:
+A long-standing class of security issues is the symlink-based
+time-of-check-time-of-use race, most commonly seen in world-writable
+directories like /tmp. The common method of exploitation of this flaw
+is to cross privilege boundaries when following a given symlink (i.e. a
+root process follows a symlink belonging to another user). For a likely
+incomplete list of hundreds of examples across the years, please see:
+http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp
+When set to "0", symlink following behavior is unrestricted.
+When set to "1" symlinks are permitted to be followed only when outside
+a sticky world-writable directory, or when the uid of the symlink and
+follower match, or when the directory owner matches the symlink's owner.
+This protection is based on the restrictions in Openwall and grsecurity.
+==============================================================
 suid_dumpable:
 This value can be used to query and set the core dump mode for setuid
author	Kees Cook <keescook@chromium.org>	2012-07-25 20:29:07 -0400
committer	Al Viro <viro@zeniv.linux.org.uk>	2012-07-29 13:37:58 -0400
commit	800179c9b8a1e796e441674776d11cd4c05d61d7 (patch)
tree	5760992f4453c35b57b2686d8b8d5caee239b637 /Documentation/sysctl
parent	3134f37e931d75931bdf6d4eacd82a3fd26eca7c (diff)

diff --git a/Documentation/sysctl/fs.txt b/Documentation/sysctl/fs.txt index 13d6166d7a27..d4a372e75750 100644 --- a/Documentation/sysctl/fs.txt +++ b/Documentation/sysctl/fs.txt
@@ -32,6 +32,8 @@ Currently, these files are in /proc/sys/fs:
32	- nr_open	32	- nr_open
33	- overflowuid	33	- overflowuid
34	- overflowgid	34	- overflowgid
		35	- protected_hardlinks
		36	- protected_symlinks
35	- suid_dumpable	37	- suid_dumpable
36	- super-max	38	- super-max
37	- super-nr	39	- super-nr
@@ -157,6 +159,46 @@ The default is 65534.
157		159
158	==============================================================	160	==============================================================
159		161
		162	protected_hardlinks:
		163
		164	A long-standing class of security issues is the hardlink-based
		165	time-of-check-time-of-use race, most commonly seen in world-writable
		166	directories like /tmp. The common method of exploitation of this flaw
		167	is to cross privilege boundaries when following a given hardlink (i.e. a
		168	root process follows a hardlink created by another user). Additionally,
		169	on systems without separated partitions, this stops unauthorized users
		170	from "pinning" vulnerable setuid/setgid files against being upgraded by
		171	the administrator, or linking to special files.
		172
		173	When set to "0", hardlink creation behavior is unrestricted.
		174
		175	When set to "1" hardlinks cannot be created by users if they do not
		176	already own the source file, or do not have read/write access to it.
		177
		178	This protection is based on the restrictions in Openwall and grsecurity.
		179
		180	==============================================================
		181
		182	protected_symlinks:
		183
		184	A long-standing class of security issues is the symlink-based
		185	time-of-check-time-of-use race, most commonly seen in world-writable
		186	directories like /tmp. The common method of exploitation of this flaw
		187	is to cross privilege boundaries when following a given symlink (i.e. a
		188	root process follows a symlink belonging to another user). For a likely
		189	incomplete list of hundreds of examples across the years, please see:
		190	http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp
		191
		192	When set to "0", symlink following behavior is unrestricted.
		193
		194	When set to "1" symlinks are permitted to be followed only when outside
		195	a sticky world-writable directory, or when the uid of the symlink and
		196	follower match, or when the directory owner matches the symlink's owner.
		197
		198	This protection is based on the restrictions in Openwall and grsecurity.
		199
		200	==============================================================
		201
160	suid_dumpable:	202	suid_dumpable:
161		203
162	This value can be used to query and set the core dump mode for setuid	204	This value can be used to query and set the core dump mode for setuid