Re: hardlinks to setuid binaries

To: Taylor R Campbell <campbell+netbsd-tech-security%mumble.net@localhost>
Subject: Re: hardlinks to setuid binaries
From: Thor Lancelot Simon <tls%panix.com@localhost>
Date: Sun, 27 Mar 2022 13:47:44 -0400

On Sat, Mar 26, 2022 at 11:19:22AM +0000, Taylor R Campbell wrote:
> 
> 3. [least restrictive I could think of to prevent this attack] Either:
>    (a) If suid, caller must own file.
>    (b) If sgid, caller must be in group.

I believe, based on some past experience with this along the way to the
conclusion that, practically, my device runtime simply needed to have
multiple filesystems and enforce W^X through the expedient of mounting
all writable filesystems noexec, that  you may want to enforce the
owner/group condition on hard links to device nodes as well.

If we could enforce restrictions on filesystem subtrees, generally,
it would be possible to enforce nosuid on link targets writable by non-root
users, and call it a day.  But really, "is cwd below directory 'D'" is not
an easy thing to do in our kernel, more's the shame.

Even better, imagine requiring an attribute to be set on a directory
in order to _allow_ it to contain setuid executables.  Or device nodes.
Wouldn't that, in general, be safer and better than trying to decide all
the places where such things should _not_ be allowed?

Thor

Follow-Ups:
- Re: hardlinks to setuid binaries
  - From: David Holland

References:
- hardlinks to setuid binaries
  - From: Jan Schaumann
- Re: hardlinks to setuid binaries
  - From: Taylor R Campbell

Prev by Date: Re: hardlinks to setuid binaries
Next by Date: Re: hardlinks to setuid binaries
Previous by Thread: Re: hardlinks to setuid binaries
Next by Thread: Re: hardlinks to setuid binaries
Indexes:

Home | Main Index | Thread Index | Old Index