From owner-freebsd-fs Thu Oct 30 15:20:09 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id PAA19776 for fs-outgoing; Thu, 30 Oct 1997 15:20:09 -0800 (PST) (envelope-from owner-freebsd-fs) Received: from mail.cs.tu-berlin.de (root@mail.cs.tu-berlin.de [130.149.17.13]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id PAA19676 for ; Thu, 30 Oct 1997 15:19:30 -0800 (PST) (envelope-from wosch@cs.tu-berlin.de) Received: from panke.panke.de (anonymous216.ppp.cs.tu-berlin.de [130.149.17.216]) by mail.cs.tu-berlin.de (8.8.6/8.8.7) with ESMTP id AAA12864; Fri, 31 Oct 1997 00:16:56 +0100 (MET) Received: (from wosch@localhost) by panke.panke.de (8.8.5/8.6.12) id AAA00468; Fri, 31 Oct 1997 00:13:53 +0100 (MET) To: Ollivier Robert Cc: freebsd-fs@FreeBSD.ORG Subject: Re: disabled symlinks References: <199710261041.LAA00556@panke.panke.de> <19971027001140.31561@keltia.freenix.fr> From: Wolfram Schneider Date: 31 Oct 1997 00:13:48 +0100 In-Reply-To: Ollivier Robert's message of Mon, 27 Oct 1997 00:11:40 +0100 Message-ID: Lines: 241 Sender: owner-freebsd-fs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Ollivier Robert writes: > Could you please modify your patch not to _follow_ symlinks in order to > disallow all symlinks in a given FS ? I split the nosymlink flag into 3 flags nosymlinkcreate Do not allow the creation of a symlink(2) for non-root users on the mounted file system. nosymlinkfollow Do not follow symlinks on the mounted file system. nosymlinkpubdir Do not allow the creation of a symlink(2) for non-root users in public writable directories with the sticky bit (mode 1777) on the mounted file system. Index: sys/sys/mount.h =================================================================== RCS file: /usr/cvs/src/sys/sys/mount.h,v retrieving revision 1.34.2.1 diff -u -r1.34.2.1 mount.h --- mount.h 1997/08/17 13:33:43 1.34.2.1 +++ mount.h 1997/10/30 17:04:30 @@ -161,6 +161,10 @@ #define MNT_UNION 0x00000020 /* union with underlying filesystem */ #define MNT_ASYNC 0x00000040 /* file system written asynchronously */ #define MNT_NOATIME 0x10000000 /* Disable update of file access times */ +#define MNT_NOSYMLINKCREATE 0x20000000 /* do not create symlinks */ +#define MNT_NOSYMLINKFOLLOW 0x40000000 /* do not follow symlinks */ +/* do not create symlinks in public writable directories with sticky bit */ +#define MNT_NOSYMLINKPUBDIR 0x80000000 /* * exported mount flags. @@ -185,7 +189,9 @@ #define MNT_VISFLAGMASK (MNT_RDONLY|MNT_SYNCHRONOUS|MNT_NOEXEC|MNT_NOSUID| \ MNT_NODEV|MNT_UNION|MNT_ASYNC|MNT_EXRDONLY|MNT_EXPORTED| \ MNT_DEFEXPORTED|MNT_EXPORTANON|MNT_EXKERB|MNT_LOCAL| \ - MNT_QUOTA|MNT_ROOTFS|MNT_USER|MNT_NOATIME) + MNT_QUOTA|MNT_ROOTFS|MNT_USER|MNT_NOATIME|\ + MNT_NOSYMLINKCREATE|MNT_NOSYMLINKFOLLOW|\ + MNT_NOSYMLINKPUBDIR) /* * filesystem control flags. Index: sys/kern/vfs_lookup.c =================================================================== RCS file: /usr/cvs/src/sys/kern/vfs_lookup.c,v retrieving revision 1.11.4.1 diff -u -r1.11.4.1 vfs_lookup.c --- vfs_lookup.c 1996/12/03 15:48:25 1.11.4.1 +++ vfs_lookup.c 1997/10/30 17:05:55 @@ -493,6 +493,10 @@ ((cnp->cn_flags & FOLLOW) || trailing_slash || *ndp->ni_next == '/')) { cnp->cn_flags |= ISSYMLINK; + if (dp->v_mount->mnt_flag & MNT_NOSYMLINKFOLLOW) { + error = EACCES; + goto bad2; + } return (0); } Index: sys/kern/vfs_syscalls.c =================================================================== RCS file: /usr/cvs/src/sys/kern/vfs_syscalls.c,v retrieving revision 1.51.2.6 diff -u -r1.51.2.6 vfs_syscalls.c --- vfs_syscalls.c 1997/10/23 18:04:55 1.51.2.6 +++ vfs_syscalls.c 1997/10/30 22:24:47 @@ -183,9 +183,11 @@ else if (mp->mnt_flag & MNT_RDONLY) mp->mnt_flag |= MNT_WANTRDWR; mp->mnt_flag &=~ (MNT_NOSUID | MNT_NOEXEC | MNT_NODEV | - MNT_SYNCHRONOUS | MNT_UNION | MNT_ASYNC | MNT_NOATIME); + MNT_SYNCHRONOUS | MNT_UNION | MNT_ASYNC | MNT_NOATIME | + MNT_NOSYMLINKCREATE | MNT_NOSYMLINKFOLLOW | MNT_NOSYMLINKPUBDIR); mp->mnt_flag |= uap->flags & (MNT_NOSUID | MNT_NOEXEC | MNT_NODEV | - MNT_SYNCHRONOUS | MNT_UNION | MNT_ASYNC | MNT_FORCE | MNT_NOATIME); + MNT_SYNCHRONOUS | MNT_UNION | MNT_ASYNC | MNT_FORCE | MNT_NOATIME | + MNT_NOSYMLINKCREATE | MNT_NOSYMLINKFOLLOW | MNT_NOSYMLINKPUBDIR); /* * Mount the filesystem. */ @@ -1326,8 +1328,10 @@ return (error); vp = nd.ni_vp; error = vn_stat(vp, &sb, p); - if (vp->v_type == VLNK) + if (vp->v_type == VLNK && + (vp->v_mount->mnt_flag & MNT_NOSYMLINKFOLLOW) != 0) sb.st_mode |= S_IFLNK | ACCESSPERMS; /* 0777 */ + vput(vp); if (error) return (error); Index: sys/kern/vfs_vnops.c =================================================================== RCS file: /usr/cvs/src/sys/kern/vfs_vnops.c,v retrieving revision 1.26.2.2 diff -u -r1.26.2.2 vfs_vnops.c --- vfs_vnops.c 1997/03/08 15:16:18 1.26.2.2 +++ vfs_vnops.c 1997/10/30 22:24:34 @@ -353,6 +353,9 @@ break; case VLNK: mode |= S_IFLNK; + /* mark symlinks as unreadable, cosmetic, 000 */ + if (vp->v_mount->mnt_flag & MNT_NOSYMLINKFOLLOW) + mode &= ~ACCESSPERMS; break; case VSOCK: mode |= S_IFSOCK; Index: sys/ufs/ufs/ufs_vnops.c =================================================================== RCS file: /usr/cvs/src/sys/ufs/ufs/ufs_vnops.c,v retrieving revision 1.41.2.3 diff -u -r1.41.2.3 ufs_vnops.c --- ufs_vnops.c 1997/06/29 08:48:50 1.41.2.3 +++ ufs_vnops.c 1997/10/30 17:53:53 @@ -1515,6 +1515,26 @@ register struct inode *ip; int len, error; + /* do not create symlinks for non-root users */ + if (ap->a_dvp->v_mount->mnt_flag & MNT_NOSYMLINKCREATE && + ap->a_cnp->cn_cred->cr_uid != 0) { + vput(ap->a_dvp); + return ENOSYS; + } else + + /* + * Do not create symlinks for non-root users in + * public writable directories with sticky bit (mode = 41777) + */ + if (ap->a_dvp->v_mount->mnt_flag & MNT_NOSYMLINKPUBDIR && + ap->a_cnp->cn_cred->cr_uid != 0 && + (VTOI(ap->a_dvp)->i_mode & + (S_IFDIR | S_ISTXT | S_IRWXU | S_IRWXG | S_IRWXO)) == + (S_IFDIR | S_ISTXT | S_IRWXU | S_IRWXG | S_IRWXO)) { + vput(ap->a_dvp); + return ENOSYS; + } + error = ufs_makeinode(IFLNK | ap->a_vap->va_mode, ap->a_dvp, vpp, ap->a_cnp); if (error) Index: sbin/mount/mntopts.h =================================================================== RCS file: /usr/cvs/src/sbin/mount/mntopts.h,v retrieving revision 1.7 diff -u -r1.7 mntopts.h --- mntopts.h 1996/09/03 07:13:55 1.7 +++ mntopts.h 1997/10/30 18:07:12 @@ -47,6 +47,9 @@ #define MOPT_NODEV { "dev", 1, MNT_NODEV, 0 } #define MOPT_NOEXEC { "exec", 1, MNT_NOEXEC, 0 } #define MOPT_NOSUID { "suid", 1, MNT_NOSUID, 0 } +#define MOPT_NOSYMLINKCREATE { "symlinkcreate", 1, MNT_NOSYMLINKCREATE, 0 } +#define MOPT_NOSYMLINKFOLLOW { "symlinkfollow", 1, MNT_NOSYMLINKFOLLOW, 0 } +#define MOPT_NOSYMLINKPUBDIR { "symlinkpubdir", 1, MNT_NOSYMLINKPUBDIR, 0 } #define MOPT_RDONLY { "rdonly", 0, MNT_RDONLY, 0 } #define MOPT_SYNC { "sync", 0, MNT_SYNCHRONOUS, 0 } #define MOPT_UNION { "union", 0, MNT_UNION, 0 } @@ -75,6 +78,9 @@ MOPT_NODEV, \ MOPT_NOEXEC, \ MOPT_NOSUID, \ + MOPT_NOSYMLINKCREATE, \ + MOPT_NOSYMLINKFOLLOW, \ + MOPT_NOSYMLINKPUBDIR, \ MOPT_RDONLY, \ MOPT_UNION Index: sbin/mount/mount.8 =================================================================== RCS file: /usr/cvs/src/sbin/mount/mount.8,v retrieving revision 1.11.2.2 diff -u -r1.11.2.2 mount.8 --- mount.8 1997/08/24 17:52:01 1.11.2.2 +++ mount.8 1997/10/30 18:00:57 @@ -134,6 +134,20 @@ wrapper like .Xr suidperl is installed on your system. +.It nosymlinkcreate +Do not allow the creation of a +.Xr symlink 2 +for non-root users +on the mounted file system. +.It nosymlinkfollow +Do not follow symlinks +on the mounted file system. +.It nosymlinkpubdir +Do not allow the creation of a +.Xr symlink 2 +for non-root users in public writable directories with the +sticky bit (mode 1777) +on the mounted file system. .It rdonly The same as .Fl r ; Index: sbin/mount/mount.c =================================================================== RCS file: /usr/cvs/src/sbin/mount/mount.c,v retrieving revision 1.15 diff -u -r1.15 mount.c --- mount.c 1996/09/03 07:13:56 1.15 +++ mount.c 1997/10/30 17:58:35 @@ -92,6 +92,9 @@ { MNT_NODEV, "nodev" }, { MNT_NOEXEC, "noexec" }, { MNT_NOSUID, "nosuid" }, + { MNT_NOSYMLINKCREATE, "nosymlinkcreate" }, + { MNT_NOSYMLINKFOLLOW, "nosymlinkfollow" }, + { MNT_NOSYMLINKPUBDIR, "nosymlinkpubdir" }, { MNT_QUOTA, "with quotas" }, { MNT_RDONLY, "read-only" }, { MNT_SYNCHRONOUS, "synchronous" }, @@ -588,6 +591,15 @@ if (ent->f_flags & MNT_ASYNC) printf (",async"); + + if (ent->f_flags & MNT_NOSYMLINKCREATE) + printf (",nosymlinkcreate"); + + if (ent->f_flags & MNT_NOSYMLINKFOLLOW) + printf (",nosymlinkfollow"); + + if (ent->f_flags & MNT_NOSYMLINKPUBDIR) + printf (",nosymlinkpubdir"); if (fst = getfsspec (ent->f_mntfromname)) printf ("\t%u %u\n", fst->fs_freq, fst->fs_passno); -- Wolfram Schneider http://www.apfel.de/~wosch/