Linux-Fsdevel Archive on lore.kernel.org
help / color / mirror / Atom feed
From: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
To: Aleksa Sarai <cyphar@cyphar.com>
Cc: mtk.manpages@gmail.com, Al Viro <viro@zeniv.linux.org.uk>,
	Christian Brauner <christian@brauner.io>,
	Aleksa Sarai <asarai@suse.de>,
	linux-man@vger.kernel.org, linux-api@vger.kernel.org,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH man-pages v2 2/2] openat2.2: document new openat2(2) syscall
Date: Mon, 13 Apr 2020 09:22:39 +0200	[thread overview]
Message-ID: <cd1438ab-cfc6-b286-849e-d7de0d5c7258@gmail.com> (raw)
In-Reply-To: <20200412164943.imwpdj5qgtyfn5de@yavin.dot.cyphar.com>

Hello Aleksa,

On 4/12/20 6:49 PM, Aleksa Sarai wrote:
> Sorry, I could've sworn I responded when you posted this -- comments
> below. And sorry for not getting back to you before the 5.06 release.

No worries and ahanks for your feedback below.

[...]

>>>> .\" FIXME I find the "previously-functional systems" in the previous
>>>> .\" sentence a little odd (since openat2() ia new sysycall), so I would
>>>> .\" like to clarify a little...
>>>> .\" Are you referring to the scenario where someone might take an
>>>> .\" existing application that uses openat() and replaces the uses
>>>> .\" of openat() with openat2()? In which case, is it correct to
>>>> .\" understand that you mean that one should not just indiscriminately
>>>> .\" add the RESOLVE_NO_XDEV flag to all of the openat2() calls?
>>>> .\" If I'm not on the right track, could you point me in the right
>>>> .\" direction please.
>>>
>>> This is mostly meant as a warning to hopefully avoid applications
>>> because the developer didn't realise that system paths may contain
>>> symlinks or bind-mounts. For an application which has switched to
>>> openat2() and then uses RESOLVE_NO_SYMLINKS for a non-security reason,
>>> it's possible that on some distributions (or future versions of a
>>> distribution) that their application will stop working because a system
>>> path suddenly contains a symlink or is a bind-mount.
>>>
>>> This was a concern which was brought up on LWN some time ago. If you can
>>> think of a phrasing that makes this more clear, I'd appreciate it.
>>
>> Thanks. I've made the text:
>>
>>                      Applications  that  employ  the RESOLVE_NO_XDEV flag
>>                      are encouraged to make its use configurable  (unless
>>                      it is used for a specific security purpose), as bind
>>                      mounts are widely used by end-users.   Setting  this
>>                      flag indiscriminately—i.e., for purposes not specif‐
>>                      ically related to security—for all uses of openat2()
>>                      may  result  in  spurious errors on previously-func‐
>>                      tional systems.  This may occur if, for  example,  a
>>                      system  pathname  that  is used by an application is
>>                      modified (e.g., in a new  distribution  release)  so
>>                      that  a  pathname  component  (now)  contains a bind
>>                      mount.
>>
>> Okay?
> 
> Yup,

Thanks.

> and the same text should be used for the same warning I gave for
> RESOLVE_NO_SYMLINKS (for the same reason, because system paths may
> switch to symlinks -- the prime example being what Arch Linux did
> several years ago).

Okay -- I added similar text to RESOLVE_NO_SYMLINKS.

>>>> .\" FIXME: what specific details in symlink(7) are being referred
>>>> .\" by the following sentence? It's not clear.
>>>
>>> The section on magic-links, but you're right that the sentence ordering
>>> is a bit odd. It should probably go after the first sentence.
>>
>> I must admit that I'm still confused. There's only the briefest of 
>> mentions of magic links in symlink(7). Perhaps that needs to be fixed?
> 
> It wouldn't hurt to add a longer description of magic-links in
> symlink(7). I'll send you a small patch to beef up the description (I
> had planned to include a longer rewrite with the O_EMPTYPATH patches but
> those require quite a bit more work to land).

That would be great. Thank you!

>> And, while I think of it, the text just preceding that FIXME says:
>>
>>     Due to the potential danger of unknowingly opening 
>>     these magic links, it may be preferable for users to 
>>     disable their resolution entirely.
>>
>> This sentence reads a little strangely. Could you please give me some
>> concrete examples, and I will try rewording that sentence a bit.
> 
> The primary example is that certain files (such as tty devices) are
> best not opened by an unsuspecting program (if you do not have a
> controlling TTY, and you open such a file that console becomes your
> controlling TTY unless you use O_NOCTTY).
> 
> But more generally, magic-links allow programs to be "beamed" all over
> the system (bypassing ordinary mount namespace restrictions). Since they
> are fairly rarely used intentionally by most programs, this is more of a
> tip to programmers that maybe they should play it safe and disallow
> magic-links unless they are expecting to have to use them.


I've reworked the text on RESOLVE_NO_MAGICLINKS substantially:

       RESOLVE_NO_MAGICLINKS
              Disallow all magic-link resolution during path reso‐
              lution.

              Magic links are symbolic link-like objects that  are
              most  notably  found  in  proc(5);  examples include
              /proc/[pid]/exe  and  /proc/[pid]/fd/*.   (See  sym‐
              link(7) for more details.)

              Unknowingly  opening  magic  links  can be risky for
              some applications.  Examples of such  risks  include
              the following:

              · If the process opening a pathname is a controlling
                process that currently has no controlling terminal
                (see  credentials(7)),  then  opening a magic link
                inside /proc/[pid]/fd that happens to refer  to  a
                terminal would cause the process to acquire a con‐
                trolling terminal.

              · In  a  containerized  environment,  a  magic  link
                inside  /proc  may  refer to an object outside the
                container, and thus may provide a means to  escape
                from the container.

[The above example derives from https://lwn.net/Articles/796868/]

              Because  of such risks, an application may prefer to
              disable   magic   link    resolution    using    the
              RESOLVE_NO_MAGICLINKS flag.

              If  the trailing component (i.e., basename) of path‐
              name is a magic link, and  how.flags  contains  both
              O_PATH  and O_NOFOLLOW, then an O_PATH file descrip‐
              tor referencing the magic link will be returned.

How does the above look?

Also, regarding the last paragraph, I  have a question.  The
text doesn't seem quite to relate to the rest of the discussion.
Should it be saying something like:

If the trailing component (i.e., basename) of pathname is a magic link,
**how.resolve contains RESOLVE_NO_MAGICLINKS,**
and how.flags contains both O_PATH and O_NOFOLLOW, then an O_PATH
file descriptor referencing the magic link will be returned.

?

[...]

>>>> .\" FIXME The next piece is unclear (to me). What kind of ".." escape
>>>> .\" attempts does chroot() not detect that RESOLVE_IN_ROOT does?
>>>
>>> If the root is moved, you can escape from a chroot(2). But this sentence
>>> might not really belong in a man-page since it's describing (important)
>>> aspects of the implementation and not the semantics.
>>
>> So, should I just remove the sentence?
> 
> Yup, sounds reasonable.

Done.

Thanks,

Michael


-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/

  reply	other threads:[~2020-04-13  7:22 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-02-02 15:19 [PATCH man-pages v2 0/2] document openat2(2) Aleksa Sarai
2020-02-02 15:19 ` [PATCH man-pages v2 1/2] path_resolution.7: update to mention openat2(2) features Aleksa Sarai
2020-03-30 20:38   ` Michael Kerrisk (man-pages)
2020-02-02 15:19 ` [PATCH man-pages v2 2/2] openat2.2: document new openat2(2) syscall Aleksa Sarai
2020-03-30  9:08   ` Michael Kerrisk (man-pages)
2020-03-30  9:20     ` Aleksa Sarai
2020-03-30  9:36       ` Michael Kerrisk (man-pages)
2020-03-30  9:48         ` Aleksa Sarai
2020-03-30 20:43   ` Michael Kerrisk (man-pages)
2020-03-31 14:39     ` Aleksa Sarai
2020-04-01  6:38       ` Michael Kerrisk (man-pages)
2020-04-08 21:29         ` Michael Kerrisk (man-pages)
2020-04-12 16:49         ` Aleksa Sarai
2020-04-13  7:22           ` Michael Kerrisk (man-pages) [this message]
2020-04-14 10:35             ` Aleksa Sarai
2020-04-15 20:24               ` Michael Kerrisk (man-pages)
2020-05-04 10:17               ` Michael Kerrisk (man-pages)
2020-06-10  5:53               ` [PATCH] symlink.7: document magic-links more completely Aleksa Sarai
2020-06-19 13:00                 ` Michael Kerrisk (man-pages)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=cd1438ab-cfc6-b286-849e-d7de0d5c7258@gmail.com \
    --to=mtk.manpages@gmail.com \
    --cc=asarai@suse.de \
    --cc=christian@brauner.io \
    --cc=cyphar@cyphar.com \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-man@vger.kernel.org \
    --cc=viro@zeniv.linux.org.uk \
    --subject='Re: [PATCH man-pages v2 2/2] openat2.2: document new openat2(2) syscall' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).