Date: Thu, 10 Feb 2022 09:54:45 +0100 From: Stefan Esser <se@FreeBSD.org> To: freebsd-hackers@freebsd.org Subject: Re: how to restrict file access below some top directory Message-ID: <9e9426bd-c063-0d26-0694-9c0932f7c63e@FreeBSD.org> In-Reply-To: <YgTL9tf0EaX3%2BD3Q@pureos> References: <YgTL9tf0EaX3%2BD3Q@pureos>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------AE0voxisgXBGshCCH9j8Z6a3
Content-Type: multipart/mixed; boundary="------------Rz1doImUc6YJEXGn8fkWtJou";
protected-headers="v1"
From: Stefan Esser <se@FreeBSD.org>
To: freebsd-hackers@freebsd.org
Message-ID: <9e9426bd-c063-0d26-0694-9c0932f7c63e@FreeBSD.org>
Subject: Re: how to restrict file access below some top directory
References: <YgTL9tf0EaX3+D3Q@pureos>
In-Reply-To: <YgTL9tf0EaX3+D3Q@pureos>
--------------Rz1doImUc6YJEXGn8fkWtJou
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Am 10.02.22 um 09:25 schrieb Matthias Apitz:
>=20
> Hello,
>=20
> I want restrict in a C- or Perl-written application the file access to
> only files below some top directory, say
>=20
> /var/spool/dir/
>=20
> and not allowing, for example, access to /var/spool/dir/../../../etc/pa=
sswd
> Ofc, this could be done easy with chroot(2), but this would require roo=
t
> permision. Any other ideas?
Hi Matthias,
how about openat() in combination with capsicum?
=46rom the open(4) / openat(4) man-page:
In capsicum(4) capability mode, open() is not permitted. The path
argument to openat() must be strictly relative to a file descriptor =
fd.
path must not be an absolute path and must not contain ".." componen=
ts
which cause the path resolution to escape the directory hierarchy
starting at fd. Additionally, no symbolic link in path may target
absolute path or contain escaping ".." components. fd must not be
AT_FDCWD.
If the vfs.lookup_cap_dotdot sysctl(3) MIB is set to zero, ".."
components in the paths, used in capability mode, are completely
disabled. If the vfs.lookup_cap_dotdot_nonlocal MIB is set to zero,=
".."
is not allowed if found on non-local filesystem.
Gru=C3=9F, STefan
--------------Rz1doImUc6YJEXGn8fkWtJou--
--------------AE0voxisgXBGshCCH9j8Z6a3
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature"
-----BEGIN PGP SIGNATURE-----
wsB5BAABCAAjFiEEo3HqZZwL7MgrcVMTR+u171r99UQFAmIE0tUFAwAAAAAACgkQR+u171r99UTx
XAf8De+MqeEhs6eGofVd6TwBst6h/MYqwIooA9Z9flUmq5gWQfpJR7pVxv+1DW/J6FjmWuyOZc1M
KmK2kM6QFHf4cSlzMhMguoGK9+Cu7HoRRD3aLFhf0V+NqjriPkrmmNsMMFLYlxfFQ5SRrdIvF1wp
npsmVCsGn0LQdifXqdeEOfltsD/5g7XhaALAVV5ZrHWYEAx6UCJJM1Z131ZkrLJg5fPYnEsfTXa+
oyV2EjBFm8LmkSyNOXBu5Q2hGKHCqO0duGhEe37FjnffmMK0LG69w56c2A6zuuFrxUbFmYOuZBlX
dUYKxaOkiOd6Ns7fStcLZ5Du0ByuJC3qpiHAgYDYLQ==
=lmLS
-----END PGP SIGNATURE-----
--------------AE0voxisgXBGshCCH9j8Z6a3--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9e9426bd-c063-0d26-0694-9c0932f7c63e>