| Message ID | 20200610055319.26374-1-cyphar@cyphar.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | symlink.7: document magic-links more completely | expand |
Hello Aleksa, On 6/10/20 7:53 AM, Aleksa Sarai wrote: > Hi Michael, > > Sorry for the delay and here is the patch I promised in this thread. Thanks! Patch applied. Cheers, Michael > --8<---------------------------------------------------------------------8<-- > > Traditionally, magic-links have not been a well-understood topic in > Linux. This helps clarify some of the terminology used in openat2.2. > > Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> > --- > man7/symlink.7 | 31 ++++++++++++++++++++++--------- > 1 file changed, 22 insertions(+), 9 deletions(-) > > diff --git a/man7/symlink.7 b/man7/symlink.7 > index 07b1db3a3764..ed99bc4236f1 100644 > --- a/man7/symlink.7 > +++ b/man7/symlink.7 > @@ -84,6 +84,21 @@ as they are implemented on Linux and other systems, > are outlined here. > It is important that site-local applications also conform to these rules, > so that the user interface can be as consistent as possible. > +.SS Magic-links > +There is a special class of symlink-like objects known as "magic-links" which > +can be found in certain pseudo-filesystems such as > +.BR proc (5) > +(examples include > +.IR /proc/[pid]/exe " and " /proc/[pid]/fd/* .) > +Unlike normal symlinks, magic-links are not resolved through > +pathname-expansion, but instead act as direct references to the kernel's own > +representation of a file handle. As such, these magic-links allow users to > +access files which cannot be referenced with normal paths (such as unlinked > +files still referenced by a running program.) > +.PP > +Because they can bypass ordinary > +.BR mount_namespaces (7)-based > +restrictions, magic-links have been used as attack vectors in various exploits. > .SS Symbolic link ownership, permissions, and timestamps > The owner and group of an existing symbolic link can be changed > using > @@ -99,16 +114,14 @@ of a symbolic link can be changed using > or > .BR lutimes (3). > .PP > -On Linux, the permissions of a symbolic link are not used > -in any operations; the permissions are always > -0777 (read, write, and execute for all user categories), > .\" Linux does not currently implement an lchmod(2). > -and can't be changed. > -(Note that there are some "magic" symbolic links in the > -.I /proc > -directory tree\(emfor example, the > -.IR /proc/[pid]/fd/* > -files\(emthat have different permissions.) > +On Linux, the permissions of an ordinary symbolic link are not used in any > +operations; the permissions are always 0777 (read, write, and execute for all > +user categories), and can't be changed. > +.PP > +However, magic-links do not follow this rule. They can have a non-0777 mode, > +though this mode is not currently used in any permission checks. > + > .\" > .\" The > .\" 4.4BSD >
diff --git a/man7/symlink.7 b/man7/symlink.7 index 07b1db3a3764..ed99bc4236f1 100644 --- a/man7/symlink.7 +++ b/man7/symlink.7 @@ -84,6 +84,21 @@ as they are implemented on Linux and other systems, are outlined here. It is important that site-local applications also conform to these rules, so that the user interface can be as consistent as possible. +.SS Magic-links +There is a special class of symlink-like objects known as "magic-links" which +can be found in certain pseudo-filesystems such as +.BR proc (5) +(examples include +.IR /proc/[pid]/exe " and " /proc/[pid]/fd/* .) +Unlike normal symlinks, magic-links are not resolved through +pathname-expansion, but instead act as direct references to the kernel's own +representation of a file handle. As such, these magic-links allow users to +access files which cannot be referenced with normal paths (such as unlinked +files still referenced by a running program.) +.PP +Because they can bypass ordinary +.BR mount_namespaces (7)-based +restrictions, magic-links have been used as attack vectors in various exploits. .SS Symbolic link ownership, permissions, and timestamps The owner and group of an existing symbolic link can be changed using @@ -99,16 +114,14 @@ of a symbolic link can be changed using or .BR lutimes (3). .PP -On Linux, the permissions of a symbolic link are not used -in any operations; the permissions are always -0777 (read, write, and execute for all user categories), .\" Linux does not currently implement an lchmod(2). -and can't be changed. -(Note that there are some "magic" symbolic links in the -.I /proc -directory tree\(emfor example, the -.IR /proc/[pid]/fd/* -files\(emthat have different permissions.) +On Linux, the permissions of an ordinary symbolic link are not used in any +operations; the permissions are always 0777 (read, write, and execute for all +user categories), and can't be changed. +.PP +However, magic-links do not follow this rule. They can have a non-0777 mode, +though this mode is not currently used in any permission checks. + .\" .\" The .\" 4.4BSD
Hi Michael, Sorry for the delay and here is the patch I promised in this thread. --8<---------------------------------------------------------------------8<-- Traditionally, magic-links have not been a well-understood topic in Linux. This helps clarify some of the terminology used in openat2.2. Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> --- man7/symlink.7 | 31 ++++++++++++++++++++++--------- 1 file changed, 22 insertions(+), 9 deletions(-)