Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: <tytso <at> mit.edu>
Subject: Re: [PATCH v2] fs: block cross-uid sticky symlinks
Newsgroups: gmane.linux.kernel.lsm
Date: Monday 31st May 2010 10:47:08 UTC (over 7 years ago)
On Sun, May 30, 2010 at 08:04:02PM -0700, Kees Cook wrote:
>  - Violates POSIX.
>    - POSIX didn't consider this situation and it's not useful to follow
>      a broken specification at the cost of security.

POSIX allows implementations to fail requested operations with a
permission denied for reasons beyond that which is specified by the
POSIX implementation.  Indeed, POSIX doesn't specify the sticky bit at
all, so implementations that implemented the sticky bit were able to
pass POSIX precisely because it's OK to provide stricter semantics
than that which is specified by POSIX.  (The sticky bit is specified
in the XSI exstension to the Single Unix Specification, but the same
principle applies; it's OK for us have additional situations where we
return EACCESS beyond that which was contemplated by POSIX/SUS; this
alone wouldn't cause us to 'violate POSIX'.)

So for people who to argue against this (which I believe to be a
useful restriction, and not one that necessarily has to be done in a
LSM), it's not sufficient to say that it is a POSIX violation, because
it isn't.  The sticky bit itself wasn't originally considered by
POSIX, and many systems which implemented the sticky bit had no
problems becoming ceritifed as POSIX compliant.

						- Ted
--
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
 
CD: 3ms