From nobody Thu Feb 10 08:54:45 2022
X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 2C29B19BA8DD
	for <freebsd-hackers@mlmmj.nyi.freebsd.org>; Thu, 10 Feb 2022 08:54:49 +0000 (UTC)
	(envelope-from se@FreeBSD.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4JvVtd0fMqz4l45;
	Thu, 10 Feb 2022 08:54:49 +0000 (UTC)
	(envelope-from se@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1644483289;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=cd3kzyaXGOAk+FAo5jRlI8wdOL9Z9ru2cU6/rQEmEqc=;
	b=iwbKaKcesQpufYryXoS96LwlfocOdmRNPdMPsH7uB2qzPiwNl+jLnCOi9oOkEQI9yCYATV
	krt2dVxfGoSrj+/CrHXcl4nhf8Z0N8C5d+0DQey1G/pOuelQok0fUgUg20MLEKrC+5V1HL
	Rra0kuy8Rw3we3/u4n1OIgMdPxJIPadBJMVBi29ARXSpDMuc94FlcHWYmQfIgZfWWA0+9v
	d2jcsbnAyIIl8erIU85gGcPzgKGEl50f/fmK/mRDUXQi8zQsFHaNJNjFSz/8K4n3Iq57RK
	f1DMico2rz9bIWsnp2XKrih9GXfNawckc7M22sQzEzoP279f+8ukHu+6dMvA7g==
Received: from [IPV6:2003:cd:5f1f:8f00:51ae:46aa:8393:af10] (p200300cd5f1f8f0051ae46aa8393af10.dip0.t-ipconnect.de [IPv6:2003:cd:5f1f:8f00:51ae:46aa:8393:af10])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(Client did not present a certificate)
	(Authenticated sender: se/mail)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 99ED42D94B;
	Thu, 10 Feb 2022 08:54:48 +0000 (UTC)
	(envelope-from se@FreeBSD.org)
Message-ID: <9e9426bd-c063-0d26-0694-9c0932f7c63e@FreeBSD.org>
Date: Thu, 10 Feb 2022 09:54:45 +0100
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@freebsd.org
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0)
 Gecko/20100101 Thunderbird/91.6.0
Subject: Re: how to restrict file access below some top directory
Content-Language: en-US
To: freebsd-hackers@freebsd.org
References: <YgTL9tf0EaX3+D3Q@pureos>
From: Stefan Esser <se@FreeBSD.org>
In-Reply-To: <YgTL9tf0EaX3+D3Q@pureos>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="------------AE0voxisgXBGshCCH9j8Z6a3"
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1644483289;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=cd3kzyaXGOAk+FAo5jRlI8wdOL9Z9ru2cU6/rQEmEqc=;
	b=uaQhubfY/NBZRtdkWd3gTJYnZlRfswDOzEb/5P3rxVGabd8oir0EAIpf/aZFleYJx8GXcs
	ZWPO0+q22Fv1XhATqg7+pibUxBU/glzFDCAqIzSjdXbC2g6aUANjl3atLG6Snw5lry73p3
	Tdk7EO6Orf3wV6Vl7cIpKlu9q6OHjMW4SlgOAqZfS0JIgVSMSytHiDYkUt6pDuUVHH+Aqp
	HxJoKiY8LNuqPB+64ZeaH5YuyqW2Yjafv+k0bB9TqaqXUKZq0n4E0VHWj9B+ARG0KbZu/G
	vu8dr9ZrLMz9Y8YKng+K75i8fp97xW411TKJGh/+GOM46CrmcNQ7/OzcbHicjQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1644483289; a=rsa-sha256; cv=none;
	b=NRvrbbMhMcWXI4Tzy+XJ8uAc1LA7rEXnPsahP/hW7egkOIVgpD4t27PqmVZQY+d1YHItk+
	E1WZSZeE2qPyzno94rhRSd7UzNfG/VABKtoBBEBTj79UTSTSfu1M8TyydyvwM9dCQebm5x
	QbdxK2X12FRsxga20+CSdKGTcx/19T1PQq9hkm8QqU/yVzXCNDGSxs4hbMctcXM3H+Dnj5
	1FHpwMGp+D1Lln1gtyZ9gCke0RuPtmm4o8KzVZwO5LWLGr9YTgOFHYnuBpyslOTNWjoxOJ
	w+xGVM7zwXUNHwSD68MXp9KfDMzVPClFNhv1ifuFB2UK1OnlGQ3Ax8g/EpUqhA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------AE0voxisgXBGshCCH9j8Z6a3
Content-Type: multipart/mixed; boundary="------------Rz1doImUc6YJEXGn8fkWtJou";
 protected-headers="v1"
From: Stefan Esser <se@FreeBSD.org>
To: freebsd-hackers@freebsd.org
Message-ID: <9e9426bd-c063-0d26-0694-9c0932f7c63e@FreeBSD.org>
Subject: Re: how to restrict file access below some top directory
References: <YgTL9tf0EaX3+D3Q@pureos>
In-Reply-To: <YgTL9tf0EaX3+D3Q@pureos>

--------------Rz1doImUc6YJEXGn8fkWtJou
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Am 10.02.22 um 09:25 schrieb Matthias Apitz:
>=20
> Hello,
>=20
> I want restrict in a C- or Perl-written application the file access to
> only files below some top directory, say
>=20
> 	/var/spool/dir/
>=20
> and not allowing, for example, access to /var/spool/dir/../../../etc/pa=
sswd
> Ofc, this could be done easy with chroot(2), but this would require roo=
t
> permision. Any other ideas?

Hi Matthias,

how about openat() in combination with capsicum?

=46rom the open(4) / openat(4) man-page:

     In capsicum(4) capability mode, open() is not permitted.  The path
     argument to openat() must be strictly relative to a file descriptor =
fd.
     path must not be an absolute path and must not contain ".." componen=
ts
     which cause the path resolution to escape the directory hierarchy
     starting at fd.  Additionally, no symbolic link in path may target
     absolute path or contain escaping ".." components.  fd must not be
     AT_FDCWD.

     If the vfs.lookup_cap_dotdot sysctl(3) MIB is set to zero, ".."
     components in the paths, used in capability mode, are completely
     disabled.  If the vfs.lookup_cap_dotdot_nonlocal MIB is set to zero,=
 ".."
     is not allowed if found on non-local filesystem.

Gru=C3=9F, STefan

--------------Rz1doImUc6YJEXGn8fkWtJou--

--------------AE0voxisgXBGshCCH9j8Z6a3
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature"

-----BEGIN PGP SIGNATURE-----

wsB5BAABCAAjFiEEo3HqZZwL7MgrcVMTR+u171r99UQFAmIE0tUFAwAAAAAACgkQR+u171r99UTx
XAf8De+MqeEhs6eGofVd6TwBst6h/MYqwIooA9Z9flUmq5gWQfpJR7pVxv+1DW/J6FjmWuyOZc1M
KmK2kM6QFHf4cSlzMhMguoGK9+Cu7HoRRD3aLFhf0V+NqjriPkrmmNsMMFLYlxfFQ5SRrdIvF1wp
npsmVCsGn0LQdifXqdeEOfltsD/5g7XhaALAVV5ZrHWYEAx6UCJJM1Z131ZkrLJg5fPYnEsfTXa+
oyV2EjBFm8LmkSyNOXBu5Q2hGKHCqO0duGhEe37FjnffmMK0LG69w56c2A6zuuFrxUbFmYOuZBlX
dUYKxaOkiOd6Ns7fStcLZ5Du0ByuJC3qpiHAgYDYLQ==
=lmLS
-----END PGP SIGNATURE-----

--------------AE0voxisgXBGshCCH9j8Z6a3--