Date: Thu, 10 Feb 2022 09:54:45 +0100 From: Stefan Esser <se@FreeBSD.org> To: freebsd-hackers@freebsd.org Subject: Re: how to restrict file access below some top directory Message-ID: <9e9426bd-c063-0d26-0694-9c0932f7c63e@FreeBSD.org> In-Reply-To: <YgTL9tf0EaX3%2BD3Q@pureos> References: <YgTL9tf0EaX3%2BD3Q@pureos>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------AE0voxisgXBGshCCH9j8Z6a3 Content-Type: multipart/mixed; boundary="------------Rz1doImUc6YJEXGn8fkWtJou"; protected-headers="v1" From: Stefan Esser <se@FreeBSD.org> To: freebsd-hackers@freebsd.org Message-ID: <9e9426bd-c063-0d26-0694-9c0932f7c63e@FreeBSD.org> Subject: Re: how to restrict file access below some top directory References: <YgTL9tf0EaX3+D3Q@pureos> In-Reply-To: <YgTL9tf0EaX3+D3Q@pureos> --------------Rz1doImUc6YJEXGn8fkWtJou Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Am 10.02.22 um 09:25 schrieb Matthias Apitz: >=20 > Hello, >=20 > I want restrict in a C- or Perl-written application the file access to > only files below some top directory, say >=20 > /var/spool/dir/ >=20 > and not allowing, for example, access to /var/spool/dir/../../../etc/pa= sswd > Ofc, this could be done easy with chroot(2), but this would require roo= t > permision. Any other ideas? Hi Matthias, how about openat() in combination with capsicum? =46rom the open(4) / openat(4) man-page: In capsicum(4) capability mode, open() is not permitted. The path argument to openat() must be strictly relative to a file descriptor = fd. path must not be an absolute path and must not contain ".." componen= ts which cause the path resolution to escape the directory hierarchy starting at fd. Additionally, no symbolic link in path may target absolute path or contain escaping ".." components. fd must not be AT_FDCWD. If the vfs.lookup_cap_dotdot sysctl(3) MIB is set to zero, ".." components in the paths, used in capability mode, are completely disabled. If the vfs.lookup_cap_dotdot_nonlocal MIB is set to zero,= ".." is not allowed if found on non-local filesystem. Gru=C3=9F, STefan --------------Rz1doImUc6YJEXGn8fkWtJou-- --------------AE0voxisgXBGshCCH9j8Z6a3 Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wsB5BAABCAAjFiEEo3HqZZwL7MgrcVMTR+u171r99UQFAmIE0tUFAwAAAAAACgkQR+u171r99UTx XAf8De+MqeEhs6eGofVd6TwBst6h/MYqwIooA9Z9flUmq5gWQfpJR7pVxv+1DW/J6FjmWuyOZc1M KmK2kM6QFHf4cSlzMhMguoGK9+Cu7HoRRD3aLFhf0V+NqjriPkrmmNsMMFLYlxfFQ5SRrdIvF1wp npsmVCsGn0LQdifXqdeEOfltsD/5g7XhaALAVV5ZrHWYEAx6UCJJM1Z131ZkrLJg5fPYnEsfTXa+ oyV2EjBFm8LmkSyNOXBu5Q2hGKHCqO0duGhEe37FjnffmMK0LG69w56c2A6zuuFrxUbFmYOuZBlX dUYKxaOkiOd6Ns7fStcLZ5Du0ByuJC3qpiHAgYDYLQ== =lmLS -----END PGP SIGNATURE----- --------------AE0voxisgXBGshCCH9j8Z6a3--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9e9426bd-c063-0d26-0694-9c0932f7c63e>