Sebastian WickApr 23

Trying to answer a question no sane person ever had to ask: How Hard Is It, To Open a File?

This one is about the great POSIX idea of a filesystem, and why you could not play your games and open chrome for a few days.

https://blog.sebastianwick.net/posts/how-hard-is-it-to-open-a-file/

How Hard Is It To Open a File?

It’s a question I had to ask myself multiple times over the last few months. Depending on the context the answer can be: very simple, just call the standard library function extremely hard, don’t trust anything If you are an app developer, you’re lucky and it’s almost always the first answer. If you develop something with a security boundary which involves files in any way, the correct answer is very likely the second one.

swick's blog
Show threadZygmunt Krynicki

@swick Insightful post. Snapd has had a paranoid approach to fd security but even with that ww did commit a few CVEs over the years.

I agree that starting with current kernel APIs would be far easier to do the right thing. The openat2 and the new mount system calls are way better if you can depend on them.

Out of the missing set I wish kernel had an openat flag that makes atomic chown, and similar feature for mkdirat.

Best regards!

Apr 24 at 12:46pmWeb
Show threadSebastian WickApr 24
@zygoon file an issue: https://github.com/uapi-group/kernel-features. It does help sometimes :)
GitHub - uapi-group/kernel-features: A collection of ideas for new kernel features

A collection of ideas for new kernel features. Contribute to uapi-group/kernel-features development by creating an account on GitHub.

GitHub
Show threadZygmunt KrynickiApr 25

@swick thank you for pointing that out. I just filed https://github.com/uapi-group/kernel-features/issues/56

Please feel free to correct me if I'm wrong but making directly path elements safely is just always racy if you want to configure them in a particular way and you are not implicitly creating them from a root/root process.

Race-free mkdirat + chown · Issue #56 · uapi-group/kernel-features

Any code that has a similar sequence of mkdirat and chown is racy. Code like this may exist in a privileged helper that runs with capabilities as the user. Ideally o int ret, subdirfd; ret = mkdira...

GitHub