152 lines
4.9 KiB
Diff
152 lines
4.9 KiB
Diff
From d48f814bd83a3cbd95dedaf5e4dd91c05cffddc6 Mon Sep 17 00:00:00 2001
|
|
From: Kees Cook <keescook@chromium.org>
|
|
Date: Sat, 25 Feb 2012 12:28:43 +1100
|
|
Subject: [PATCH 2/5] fs-symlink-restrictions-on-sticky-directories-fix-2
|
|
|
|
s/sticky_//
|
|
|
|
Cc: Kees Cook <keescook@chromium.org>
|
|
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
|
---
|
|
Documentation/sysctl/fs.txt | 4 ++--
|
|
fs/Kconfig | 16 ++++++++--------
|
|
fs/namei.c | 10 +++++-----
|
|
include/linux/fs.h | 2 +-
|
|
kernel/sysctl.c | 6 +++---
|
|
5 files changed, 19 insertions(+), 19 deletions(-)
|
|
|
|
diff --git a/Documentation/sysctl/fs.txt b/Documentation/sysctl/fs.txt
|
|
index 4b47cd5..01daa80 100644
|
|
--- a/Documentation/sysctl/fs.txt
|
|
+++ b/Documentation/sysctl/fs.txt
|
|
@@ -32,7 +32,7 @@ Currently, these files are in /proc/sys/fs:
|
|
- nr_open
|
|
- overflowuid
|
|
- overflowgid
|
|
-- protected_sticky_symlinks
|
|
+- protected_symlinks
|
|
- suid_dumpable
|
|
- super-max
|
|
- super-nr
|
|
@@ -158,7 +158,7 @@ The default is 65534.
|
|
|
|
==============================================================
|
|
|
|
-protected_sticky_symlinks:
|
|
+protected_symlinks:
|
|
|
|
A long-standing class of security issues is the symlink-based
|
|
time-of-check-time-of-use race, most commonly seen in world-writable
|
|
diff --git a/fs/Kconfig b/fs/Kconfig
|
|
index d0fdbdd..f2c46f3 100644
|
|
--- a/fs/Kconfig
|
|
+++ b/fs/Kconfig
|
|
@@ -272,7 +272,7 @@ endif # NETWORK_FILESYSTEMS
|
|
source "fs/nls/Kconfig"
|
|
source "fs/dlm/Kconfig"
|
|
|
|
-config PROTECTED_STICKY_SYMLINKS
|
|
+config PROTECTED_SYMLINKS
|
|
bool "Evaluate vulnerable symlink conditions"
|
|
default y
|
|
help
|
|
@@ -285,10 +285,10 @@ config PROTECTED_STICKY_SYMLINKS
|
|
|
|
Enabling this adds the logic to examine these dangerous symlink
|
|
conditions. Whether or not the dangerous symlink situations are
|
|
- allowed is controlled by PROTECTED_STICKY_SYMLINKS_ENABLED.
|
|
+ allowed is controlled by PROTECTED_SYMLINKS_ENABLED.
|
|
|
|
-config PROTECTED_STICKY_SYMLINKS_ENABLED
|
|
- depends on PROTECTED_STICKY_SYMLINKS
|
|
+config PROTECTED_SYMLINKS_ENABLED
|
|
+ depends on PROTECTED_SYMLINKS
|
|
bool "Disallow symlink following in sticky world-writable dirs"
|
|
default y
|
|
help
|
|
@@ -298,12 +298,12 @@ config PROTECTED_STICKY_SYMLINKS_ENABLED
|
|
directory and symlink owners match.
|
|
|
|
When PROC_SYSCTL is enabled, this setting can also be controlled
|
|
- via /proc/sys/kernel/protected_sticky_symlinks.
|
|
+ via /proc/sys/kernel/protected_symlinks.
|
|
|
|
-config PROTECTED_STICKY_SYMLINKS_ENABLED_SYSCTL
|
|
- depends on PROTECTED_STICKY_SYMLINKS
|
|
+config PROTECTED_SYMLINKS_ENABLED_SYSCTL
|
|
+ depends on PROTECTED_SYMLINKS
|
|
int
|
|
- default "1" if PROTECTED_STICKY_SYMLINKS_ENABLED
|
|
+ default "1" if PROTECTED_SYMLINKS_ENABLED
|
|
default "0"
|
|
|
|
endmenu
|
|
diff --git a/fs/namei.c b/fs/namei.c
|
|
index 5b4c05b..39edcf7 100644
|
|
--- a/fs/namei.c
|
|
+++ b/fs/namei.c
|
|
@@ -623,16 +623,16 @@ static inline void put_link(struct nameidata *nd, struct path *link, void *cooki
|
|
path_put(link);
|
|
}
|
|
|
|
-#ifdef CONFIG_PROTECTED_STICKY_SYMLINKS
|
|
-int sysctl_protected_sticky_symlinks __read_mostly =
|
|
- CONFIG_PROTECTED_STICKY_SYMLINKS_ENABLED_SYSCTL;
|
|
+#ifdef CONFIG_PROTECTED_SYMLINKS
|
|
+int sysctl_protected_symlinks __read_mostly =
|
|
+ CONFIG_PROTECTED_SYMLINKS_ENABLED_SYSCTL;
|
|
|
|
/**
|
|
* may_follow_link - Check symlink following for unsafe situations
|
|
* @dentry: The inode/dentry of the symlink
|
|
* @nameidata: The path data of the symlink
|
|
*
|
|
- * In the case of the protected_sticky_symlinks sysctl being enabled,
|
|
+ * In the case of the protected_symlinks sysctl being enabled,
|
|
* CAP_DAC_OVERRIDE needs to be specifically ignored if the symlink is
|
|
* in a sticky world-writable directory. This is to protect privileged
|
|
* processes from failing races against path names that may change out
|
|
@@ -651,7 +651,7 @@ may_follow_link(struct dentry *dentry, struct nameidata *nameidata)
|
|
const struct inode *inode;
|
|
const struct cred *cred;
|
|
|
|
- if (!sysctl_protected_sticky_symlinks)
|
|
+ if (!sysctl_protected_symlinks)
|
|
return 0;
|
|
|
|
/* Allowed if owner and follower match. */
|
|
diff --git a/include/linux/fs.h b/include/linux/fs.h
|
|
index aba8db0..404cc89 100644
|
|
--- a/include/linux/fs.h
|
|
+++ b/include/linux/fs.h
|
|
@@ -423,7 +423,7 @@ extern unsigned long get_max_files(void);
|
|
extern int sysctl_nr_open;
|
|
extern struct inodes_stat_t inodes_stat;
|
|
extern int leases_enable, lease_break_time;
|
|
-extern int sysctl_protected_sticky_symlinks;
|
|
+extern int sysctl_protected_symlinks;
|
|
|
|
struct buffer_head;
|
|
typedef int (get_block_t)(struct inode *inode, sector_t iblock,
|
|
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
|
|
index c469b88..0624e7c 100644
|
|
--- a/kernel/sysctl.c
|
|
+++ b/kernel/sysctl.c
|
|
@@ -1497,10 +1497,10 @@ static struct ctl_table fs_table[] = {
|
|
},
|
|
#endif
|
|
#endif
|
|
-#ifdef CONFIG_PROTECTED_STICKY_SYMLINKS
|
|
+#ifdef CONFIG_PROTECTED_SYMLINKS
|
|
{
|
|
- .procname = "protected_sticky_symlinks",
|
|
- .data = &sysctl_protected_sticky_symlinks,
|
|
+ .procname = "protected_symlinks",
|
|
+ .data = &sysctl_protected_symlinks,
|
|
.maxlen = sizeof(int),
|
|
.mode = 0600,
|
|
.proc_handler = proc_dointvec_minmax,
|
|
--
|
|
1.7.9.1
|
|
|