The long road to a fix for CVE-2021-20316
The story starts with a bug report from Michael Hanselmann in May 2019. When an SMB client instructs the server to create a new directory, the server must carry out a number of checks to ensure that the client is entitled to do that. Among other things, the server makes sure that the requested directory actually lies within the exported SMB share rather than being at some arbitrary location elsewhere in the server's filesystem. Unfortunately, there is inevitably a window between when the server performs the check and when it actually creates the directory. If a malicious user is able to replace a component in the path for the new directory with a symbolic link during that window, Samba will happily follow the link and make the directory in the wrong place, with results that are generally seen as distasteful by anybody but an attacker.
This is a classic time-of-check/time-of-use (TOCTOU) vulnerability, of the sort that symbolic links have become notorious for. It is also a hard one to fix, especially for a system like Samba, where portability is an important concern. There is no easy, cross-platform way to query the attributes of a path in the filesystem and safely act on the result, secure in the knowledge that a malicious actor cannot change things in the middle. Still, something clearly needed to be done, so Samba developer Jeremy Allison jumped in to write a fix. The CVE number CVE-2019-10151 was duly assigned to this problem.
The real problem
The hope was to come up with a quick solution but, from the outset, Allison identified the real problem: the use of path names to interact with the server-side filesystem. Every time that a path is passed to the kernel, the process of walking through it must be carried out anew; any user who can make that process arrive in different places at different times (through carefully timed use of symbolic links, for example) could use that ability to confuse the server. The good news is that there is another way that doesn't rely on unchanging paths.
Over the years, the kernel has gained a set of system calls that operate on
file handles (open file descriptors) rather than path names. A carefully
written server can, for example, use openat2()
to create a file descriptor for a directory of interest, do its checks to
ensure that the directory is what is expected, then use mkdirat()
to create a subdirectory that cannot be redirected to the wrong place.
Properly used, these system calls remove the TOCTOU race from this kind of
operation, but they only work if they are being used — and Samba's use of
them in 2019 was limited. At the time, Allison remarked: "Ultimately
we need to modify the VFS to use the syscallAT() variants of all the system
calls, but that's a VFS rewrite we will have to schedule for another
day
".
Over a month or so of attempts to close the vulnerability (and other
symbolic-link issues that
arose once people started looking for them), it became increasingly clear
that "another day" was coming sooner than anybody had thought. By mid-July
2019, Allison seemed
resigned to the big rewrite: "This is going to be a long slog,
re-writing the pathname processing in the server
". There was a
complication, though: while this slog was underway, the vulnerability would
remain unfixed and undisclosed. So how would all of this work be explained
to anybody else who was watching the Samba project's work? According to
Allison:
We need to rewrite the fileserver to [make] arbitrary symlink race change safe on all pathname operations. This is too large to do in private, so I'm doing this in public under the guise of "modernising the VFS to use handle-based operations" (without saying explicitly *why* I'm doing so).
There were a few other aspects of this project — beyond the need to hide its real purpose — that made it hard. One of those is that version 1 of the SMB protocol (SMB1) is path-name-based at its core, making it almost impossible for the server to use anything else. The abrupt deprecation of SMB1 in the Samba 4.11 release in September 2019 was partially driven by this problem.
The SMB2 protocol, instead, is based heavily on file handles, which should make it easier for the server implementation to work the same way. But Samba is an old program with a lot of history, so many of the internal interfaces were still using path names, even when a file handle was readily available. This includes the VFS interface that is used to talk with modules for specific host filesystems, add functionality like virus scanning, and more. Changing all of those internal APIs was a large job that would touch much of the code in the Samba server.
Thousands of changes
During the next two years, Allison would contribute 1,638 commits to the Samba repository — 17% of the total over that period. Not all of those were aimed at the VFS rewrite, but most of them were. And Allison was not alone; Ralph Böhme (1,261 commits), Noel Power (438) and Samuel Cabrero (251) also contributed heavily to this project. "Modernizing" the Samba VFS took up much of the project's attention while remaining mostly under the radar for anybody who was unaware of the real problem.
Böhme presented this work at the 2021 SambaXP event (video, slides) without ever mentioning the (still urgent) security problem that was driving it. The talk gets into a lot of the details of what needed to be done and how various problems were solved on Linux; it is recommended viewing for anybody who wants to dig deeper. There is also some information on the Samba wiki.
In July 2021, Allison declared victory:
With the master commit e168a95c1bb1928cf206baf6d2db851c85f65fa9, I believe all race conditions on meta-data are now fixed in the default paths. The async DOS attribute read still uses path-based getxattr, and some of the VFS modules are not symlink safe, but out of the box Samba I believe will no longer be vulnerable to this in 4.15.0.
Since then, the remaining path-based extended-attribute calls have been fixed as well. Of course, there were a few details to deal with yet, including the fact that the original CVE number had expired due to not being updated for too long. That necessitated the assignment of a new number, which is why this vulnerability is known as CVE-2021-43566. The work did show up as expected in the Samba 4.15.0 release in September 2021 — more than two years after the initial vulnerability report.
In the vulnerability disclosure, the Samba project described the situation this way:
A two and a half year effort was undertaken to completely re-write the Samba VFS layer to stop use of pathname-based calls in all cases involving reading and writing of metadata returned to the client. This work has finally been completed in Samba 4.15.0. [...]As all operations are now done on an open handle we believe that any further symlink race conditions have been completely eliminated in Samba 4.15.0 and all future versions of Samba.
The disclosure also notes that, due to the massive nature of the rewrite, it will not be possible to fix this vulnerability in earlier Samba releases.
In the end, the Samba project was able to get this vulnerability fixed before word of the problem spread, and before any known exploits took place. But it was a bit of a gamble; attackers tend to keep an eye on the repositories of interesting projects in the hope of noticing patches addressing undisclosed vulnerabilities. It is hard not to draw comparisons with the events leading up to the disclosure of Meltdown and Spectre, both of which also required massive changes to address an undisclosed vulnerability. But, unlike the developers working on Spectre, the Samba developers found a way to do their work in public, ensuring that all patches were properly reviewed and minimizing the problems that had to be addressed after disclosure of the problem.
The gamble appears to have paid off, though things could have gone differently. Since then, Allison has been making the point that symbolic links are dangerous in general, and that other projects almost certainly have similar problems. He has a talk planned for SambaXP later this year that, presumably, will be more forthcoming than Böhme's 2021 presentation. Samba users (those who have updated, at least) are hopefully immune to symbolic-link attacks, but that is probably not true of many other systems that we depend on.
(Thanks to Jeremy Allison for answering questions and performing technical
review on a draft of this article.)
Index entries for this article | |
---|---|
Security | Samba |
The long road to a fix for CVE-2021-20316
Posted Feb 10, 2022 20:53 UTC (Thu)
by calumapplepie (guest, #143655)
[Link] (24 responses)
Posted Feb 10, 2022 20:53 UTC (Thu) by calumapplepie (guest, #143655) [Link] (24 responses)
Obviously, it's a bit late, and there are probably a long list of very good reasons that people haven't already done this. But I think this is a bug that will keep appearing time and time again, and making it an easy fix for developers will hopefully mitigate it a lot.
The long road to a fix for CVE-2021-20316
Posted Feb 10, 2022 21:30 UTC (Thu)
by jra (subscriber, #55261)
[Link] (21 responses)
Posted Feb 10, 2022 21:30 UTC (Thu) by jra (subscriber, #55261) [Link] (21 responses)
The long road to a fix for CVE-2021-20316
Posted Feb 10, 2022 21:37 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link] (8 responses)
Posted Feb 10, 2022 21:37 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (8 responses)
Future OSes should reject the ACL and permission nonsense and instead move to true container-like isolation.
The long road to a fix for CVE-2021-20316
Posted Feb 10, 2022 22:13 UTC (Thu)
by jra (subscriber, #55261)
[Link] (3 responses)
Posted Feb 10, 2022 22:13 UTC (Thu) by jra (subscriber, #55261) [Link] (3 responses)
The long road to a fix for CVE-2021-20316
Posted Feb 10, 2022 22:14 UTC (Thu)
by jra (subscriber, #55261)
[Link] (1 responses)
Posted Feb 10, 2022 22:14 UTC (Thu) by jra (subscriber, #55261) [Link] (1 responses)
The long road to a fix for CVE-2021-20316
Posted Feb 10, 2022 23:52 UTC (Thu)
by Cyberax (✭ supporter ✭, #52523)
[Link]
Posted Feb 10, 2022 23:52 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]
I actually Googled "Sba RedHat" and just was going to ask what it is.
The long road to a fix for CVE-2021-20316
Posted Feb 11, 2022 15:59 UTC (Fri)
by phlogistonjohn (subscriber, #81085)
[Link]
Posted Feb 11, 2022 15:59 UTC (Fri) by phlogistonjohn (subscriber, #81085) [Link]
https://github.com/samba-in-kubernetes/samba-container/
and the related projects in our org https://github.com/samba-in-kubernetes/
Note that despite the name "kubernetes" in the org, the container images are designed not to be k8s
specific. I'd love to see other uses of the container images for docker/docker-compose, podman, etc. The name was partly chosen because we do have other k8s specific integration plans... and we could abbreviate it as "SINK" ;-)
Thank you for the opportunity for a bit of free advertising.
The long road to a fix for CVE-2021-20316
Posted Feb 11, 2022 10:10 UTC (Fri)
by taladar (subscriber, #68407)
[Link] (3 responses)
Posted Feb 11, 2022 10:10 UTC (Fri) by taladar (subscriber, #68407) [Link] (3 responses)
The long road to a fix for CVE-2021-20316
Posted Feb 11, 2022 13:30 UTC (Fri)
by joib (subscriber, #8541)
[Link] (2 responses)
Posted Feb 11, 2022 13:30 UTC (Fri) by joib (subscriber, #8541) [Link] (2 responses)
But maybe something like when a new user connects, fork a new process to handle that user, create appropriately restricted namespaces for that process (call it a "container" if you like), and finally switch the process uid to that user?
The long road to a fix for CVE-2021-20316
Posted Feb 13, 2022 16:53 UTC (Sun)
by marcH (subscriber, #57642)
[Link]
Posted Feb 13, 2022 16:53 UTC (Sun) by marcH (subscriber, #57642) [Link]
The long road to a fix for CVE-2021-20316
Posted Feb 16, 2022 19:24 UTC (Wed)
by ssmith32 (subscriber, #72404)
[Link]
Posted Feb 16, 2022 19:24 UTC (Wed) by ssmith32 (subscriber, #72404) [Link]
The long road to a fix for CVE-2021-20316
Posted Feb 10, 2022 23:51 UTC (Thu)
by nix (subscriber, #2304)
[Link] (10 responses)
Posted Feb 10, 2022 23:51 UTC (Thu) by nix (subscriber, #2304) [Link] (10 responses)
An alternative approach that breaks much less, probably nothing, while retaining the security benefits of root-only symlinks: non-root-owned symlinks (or, more generally, symlinks with uids not specified in a new file under /proc/sys somewhere: root only by default) are only followed by the user that owns them: other users get the effect of O_NOFOLLOW on that symlink without needing to ask for it.
Now hostile users can create all the symlinks they want, as can non-hostile users, and the use case the non-hostile users wanted still works (they can follow symlinks they created, and symlinks the sysadmin or package installer created), while the hostile users find that they are following the hostile symlinks they created, but nobody else is. This obviously should apply at all stages in path resolution, including if a path contains a symlink to a directory. (I don't think we need to worry about races involving symlink ownership suddenly changing, since only root can do that and if root is malicious you've already lost.)
Anyone still broken by this is probably using gid-shared directories for something, like it was the 1980s still. They're probably using ACLs too. A slightly more permissive mode, off by default or on only in directories with the setgid bit active or perhaps which are gid-writable, could apply the same check based on the gid of the symlink instead of the uid, which would fix this use case too. I'm sceptical this use case is common enough to worry about, though.
But symlink following in the specific case of following symlinks the admin made and symlinks the user themselves made is so useful that it simply shouldn't be broken. It's not some program's decision to not let me stitch things together with symlinks I created: it's mine, and programs should always follow them. Symlinks a random hostile user created, though -- why would I ever want to follow those? And thankfully file ownership tracks this perfectly well so we can always get the answer right :)
The long road to a fix for CVE-2021-20316
Posted Feb 11, 2022 0:18 UTC (Fri)
by rgmoore (✭ supporter ✭, #75)
[Link] (2 responses)
Posted Feb 11, 2022 0:18 UTC (Fri) by rgmoore (✭ supporter ✭, #75) [Link] (2 responses)
While this is an interesting idea, I think it will likely be a non-starter because it changes long-established behavior. There will be things that break because of this, and "don't break userspace" is an important enough principle that it will not fly.
The long road to a fix for CVE-2021-20316
Posted Feb 11, 2022 14:27 UTC (Fri)
by nix (subscriber, #2304)
[Link]
Posted Feb 11, 2022 14:27 UTC (Fri) by nix (subscriber, #2304) [Link]
The long road to a fix for CVE-2021-20316
Posted Feb 12, 2022 2:55 UTC (Sat)
by bartoc (subscriber, #124262)
[Link]
Posted Feb 12, 2022 2:55 UTC (Sat) by bartoc (subscriber, #124262) [Link]
My userspace was just broken by lack of `/dev/mem` on my fedora box (I was trying to fetch the EDID of my display)
The long road to a fix for CVE-2021-20316
Posted Feb 11, 2022 0:53 UTC (Fri)
by mathstuf (subscriber, #69389)
[Link] (3 responses)
Posted Feb 11, 2022 0:53 UTC (Fri) by mathstuf (subscriber, #69389) [Link] (3 responses)
The long road to a fix for CVE-2021-20316
Posted Feb 11, 2022 12:50 UTC (Fri)
by ibukanov (guest, #3942)
[Link]
Posted Feb 11, 2022 12:50 UTC (Fri) by ibukanov (guest, #3942) [Link]
The long road to a fix for CVE-2021-20316
Posted Feb 13, 2022 18:23 UTC (Sun)
by khim (subscriber, #9252)
[Link] (1 responses)
> Wouldn't this make analysis harder? That is, would root follow arbitrary symlinks?
Posted Feb 13, 2022 18:23 UTC (Sun) by khim (subscriber, #9252) [Link] (1 responses)
Root would follow only root-created symlinks. Everyone else would also follow root-created symlinks. Everyone else would just follow their own symlinks.
It's actually interesting idea. Would need to see how many packages would break, but this wouldn't effect things like git (people rarely use unix permissions in the middle of git repos) while most distro-provided system symlinks would work.
I think there are some container solutions which use per-app UID (like on Android), would need to decide what to do about these.
The long road to a fix for CVE-2021-20316
Posted Feb 13, 2022 19:02 UTC (Sun)
by mjg59 (subscriber, #23239)
[Link]
Posted Feb 13, 2022 19:02 UTC (Sun) by mjg59 (subscriber, #23239) [Link]
The long road to a fix for CVE-2021-20316
Posted Feb 16, 2022 8:59 UTC (Wed)
by pmatilai (subscriber, #15420)
[Link] (2 responses)
Posted Feb 16, 2022 8:59 UTC (Wed) by pmatilai (subscriber, #15420) [Link] (2 responses)
I've yet to see it break any legitimate case in the packaging world.
That commit is of course only a tiny fraction (and buggy at that) of the overall problem which we're only just now getting close to resolving it in a wider sense - much like Samba, rpm traditionally used absolute paths for everything.
The long road to a fix for CVE-2021-20316
Posted Feb 18, 2022 1:50 UTC (Fri)
by nix (subscriber, #2304)
[Link]
Posted Feb 18, 2022 1:50 UTC (Fri) by nix (subscriber, #2304) [Link]
The long road to a fix for CVE-2021-20316
Posted Feb 18, 2022 17:46 UTC (Fri)
by nybble41 (subscriber, #55106)
[Link]
Posted Feb 18, 2022 17:46 UTC (Fri) by nybble41 (subscriber, #55106) [Link]
This is a false assumption. The owner of a file or directory can only change permissions or make other changes to it *if they can obtain a reference*. If you own /a/b but don't have search permissions (+x) on /a (and don't have /a/b as your current directory or some similar corner case) then you can't do anything with /a/b. However, under this rule you can still create a symlink to /a/b which would be followed by other users because you own /a/b, even though you can't access it yourself through /a. (The same issue impacts /proc/sys/fs/protected_symlinks=1.)
One option I haven't seen suggested yet would be to use the intersection of the permissions available to the original user and the owner(s) of any symlink(s) followed while resolving the path. Though in practice you might need more information than just the symlink's UID and GID to serve as the credentials, especially when relying on "negative ACLs", pluggable security modules like SELinux, or narrower group permissions overriding, rather than supplementing, broader "other" permissions.
The long road to a fix for CVE-2021-20316
Posted Feb 12, 2022 2:52 UTC (Sat)
by bartoc (subscriber, #124262)
[Link]
Posted Feb 12, 2022 2:52 UTC (Sat) by bartoc (subscriber, #124262) [Link]
The long road to a fix for CVE-2021-20316
Posted Feb 11, 2022 9:27 UTC (Fri)
by NYKevin (subscriber, #129325)
[Link]
Posted Feb 11, 2022 9:27 UTC (Fri) by NYKevin (subscriber, #129325) [Link]
The long road to a fix for CVE-2021-20316
Posted Feb 11, 2022 9:43 UTC (Fri)
by dullfire (guest, #111432)
[Link]
Posted Feb 11, 2022 9:43 UTC (Fri) by dullfire (guest, #111432) [Link]
Which would be a massive regression.
The long road to a fix for CVE-2021-20316
Posted Feb 10, 2022 23:53 UTC (Thu)
by xecycle (subscriber, #140261)
[Link] (4 responses)
Posted Feb 10, 2022 23:53 UTC (Thu) by xecycle (subscriber, #140261) [Link] (4 responses)
The long road to a fix for CVE-2021-20316
Posted Feb 11, 2022 0:27 UTC (Fri)
by LtWorf (subscriber, #124958)
[Link]
Posted Feb 11, 2022 0:27 UTC (Fri) by LtWorf (subscriber, #124958) [Link]
The long road to a fix for CVE-2021-20316
Posted Feb 11, 2022 7:43 UTC (Fri)
by pbonzini (subscriber, #60935)
[Link]
Posted Feb 11, 2022 7:43 UTC (Fri) by pbonzini (subscriber, #60935) [Link]
The long road to a fix for CVE-2021-20316
Posted Feb 11, 2022 9:31 UTC (Fri)
by NYKevin (subscriber, #129325)
[Link]
Posted Feb 11, 2022 9:31 UTC (Fri) by NYKevin (subscriber, #129325) [Link]
Nevertheless, if you're an IT department deploying Samba on e.g. a NAS, you probably *can* make that sort of guarantee. I'm not saying this is a good idea, however.
The long road to a fix for CVE-2021-20316
Posted Feb 11, 2022 15:16 UTC (Fri)
by tialaramex (subscriber, #21167)
[Link]
Posted Feb 11, 2022 15:16 UTC (Fri) by tialaramex (subscriber, #21167) [Link]
Windows NT 4 was known to be broken. IIRC some of its system calls (syscalls aren't *supposed* to be ABI compatibility points in Windows, but in practice if enough people rely on one then Microsoft can't change it) were just inherently insecure as with the old path based calls Samba is using here, there was no way to fix them without a rewrite of the relevant OS components and potentially breaking all the affected software.
If you went to Microsoft and said, "Look, this important security stuff is broken in NT4, where's a fix?" their answer was "Windows 2000". Is that a free upgrade? Nope, tough. If you want the important security fixes, buy the new operating system.
Life is like that. The people who own the building where I live discovered that their fire insulation wasn't up to specification in some voids, so they spent a pile of money fixing it and it came out of normal operating funds (thus paid for by home owners like me). But after Grenfell, lots of people in tall buildings found out that the entire outer layer of their building was a fire hazard and the consequence was their homes became unsaleable and (unless Government decides to step in and fix it or force the builders to fix it, which they still haven't many years later) they would need to spend far more money than they have to solve the problem and be able to sell their home. Ouch.
The long road to a fix for CVE-2021-20316
Posted Feb 11, 2022 15:17 UTC (Fri)
by Paf (subscriber, #91811)
[Link] (2 responses)
Posted Feb 11, 2022 15:17 UTC (Fri) by Paf (subscriber, #91811) [Link] (2 responses)
There doesn’t have to be, or at least not this kind…. Having a separate *path navigation* for security check and for the operation is … wow. You do a security oriented lookup on the entity (in this case the parent), checking permissions as you go, then you have the entity. You then just use it. That the path is processed twice is … loopy and obviously a huge problem.
The long road to a fix for CVE-2021-20316
Posted Feb 11, 2022 15:23 UTC (Fri)
by Paf (subscriber, #91811)
[Link] (1 responses)
Posted Feb 11, 2022 15:23 UTC (Fri) by Paf (subscriber, #91811) [Link] (1 responses)
The long road to a fix for CVE-2021-20316
Posted Feb 11, 2022 17:45 UTC (Fri)
by jra (subscriber, #55261)
[Link]
Posted Feb 11, 2022 17:45 UTC (Fri) by jra (subscriber, #55261) [Link]
The long road to a fix for CVE-2021-20316
Posted Feb 11, 2022 16:39 UTC (Fri)
by ldearquer (guest, #137451)
[Link] (4 responses)
Posted Feb 11, 2022 16:39 UTC (Fri) by ldearquer (guest, #137451) [Link] (4 responses)
But why do Samba servers have write access to any locations other than the SMB share in the first place? Or is this for cases where SMB share == the whole filesystem?
The long road to a fix for CVE-2021-20316
Posted Feb 11, 2022 17:47 UTC (Fri)
by jra (subscriber, #55261)
[Link] (3 responses)
Posted Feb 11, 2022 17:47 UTC (Fri) by jra (subscriber, #55261) [Link] (3 responses)
The long road to a fix for CVE-2021-20316
Posted Feb 11, 2022 18:00 UTC (Fri)
by NYKevin (subscriber, #129325)
[Link] (2 responses)
Posted Feb 11, 2022 18:00 UTC (Fri) by NYKevin (subscriber, #129325) [Link] (2 responses)
The long road to a fix for CVE-2021-20316
Posted Feb 11, 2022 18:43 UTC (Fri)
by jra (subscriber, #55261)
[Link] (1 responses)
Posted Feb 11, 2022 18:43 UTC (Fri) by jra (subscriber, #55261) [Link] (1 responses)
The long road to a fix for CVE-2021-20316
Posted Feb 12, 2022 0:20 UTC (Sat)
by gerdesj (subscriber, #5446)
[Link]
Posted Feb 12, 2022 0:20 UTC (Sat) by gerdesj (subscriber, #5446) [Link]
I can remember testing out Ben Greer's smart new VLAN code in the kernel to get a set of smbd and nmbds running on a fairly large network to get a browse list together. This is me a few years back: https://lwn.net/Articles/75489/ whittering on about it.
Samba makes CIFS/SMB work in ways that MS has never even imagined. That's the thing - imagination. Samba is imaginative where the MS option is rather staid and boring.
Now if it was possible to get ACLs to work like NetWare nwfs/nss ie dynamically calculated on the fly, that would be quite handy.
Anyway, cheers Jez. That was a lot of work fixing things up. Thank you.
The long road to a fix for CVE-2021-20316
Posted Feb 12, 2022 8:53 UTC (Sat)
by cozzyd (guest, #110972)
[Link]
Posted Feb 12, 2022 8:53 UTC (Sat) by cozzyd (guest, #110972) [Link]
The long road to a fix for CVE-2021-20316
Posted Feb 13, 2022 19:40 UTC (Sun)
by metalheart (guest, #89328)
[Link] (20 responses)
Posted Feb 13, 2022 19:40 UTC (Sun) by metalheart (guest, #89328) [Link] (20 responses)
From my past experience it makes changes in organizational structure easier to implement on file server directory structure (you do not need to copy data from one share to another). What else?
The long road to a fix for CVE-2021-20316
Posted Feb 14, 2022 8:07 UTC (Mon)
by eru (subscriber, #2753)
[Link] (19 responses)
Posted Feb 14, 2022 8:07 UTC (Mon) by eru (subscriber, #2753) [Link] (19 responses)
The long road to a fix for CVE-2021-20316
Posted Feb 14, 2022 17:32 UTC (Mon)
by jra (subscriber, #55261)
[Link] (5 responses)
Posted Feb 14, 2022 17:32 UTC (Mon) by jra (subscriber, #55261) [Link] (5 responses)
The long road to a fix for CVE-2021-20316
Posted Feb 15, 2022 12:18 UTC (Tue)
by eru (subscriber, #2753)
[Link] (1 responses)
Posted Feb 15, 2022 12:18 UTC (Tue) by eru (subscriber, #2753) [Link] (1 responses)
The long road to a fix for CVE-2021-20316
Posted Feb 15, 2022 14:09 UTC (Tue)
by rahulsundaram (subscriber, #21946)
[Link]
Posted Feb 15, 2022 14:09 UTC (Tue) by rahulsundaram (subscriber, #21946) [Link]
Your info is heavily outdated. It is well supported and well documented these days.
https://docs.microsoft.com/en-us/windows-server/administr...
The long road to a fix for CVE-2021-20316
Posted Feb 19, 2022 17:10 UTC (Sat)
by Jandar (subscriber, #85683)
[Link] (2 responses)
Posted Feb 19, 2022 17:10 UTC (Sat) by Jandar (subscriber, #85683) [Link] (2 responses)
Marvelous, a kind of symlink a user can't use. What comes next, only admin approved (*) programs can create executables? Doubtless it would be a security enhancement if no executable memory-mapping could contain bytes generated by an arbitrary program.
Most symlinks I use or encounter are made by users within their own directories pointing into other parts of their own space.
* The mainframe I used at university had such a concept. IIRC only an admin at the console could set the compiler-permission.
The long road to a fix for CVE-2021-20316
Posted Feb 21, 2022 0:38 UTC (Mon)
by Fowl (subscriber, #65667)
[Link] (1 responses)
Posted Feb 21, 2022 0:38 UTC (Mon) by Fowl (subscriber, #65667) [Link] (1 responses)
The long road to a fix for CVE-2021-20316
Posted Feb 22, 2022 16:56 UTC (Tue)
by Jandar (subscriber, #85683)
[Link]
Posted Feb 22, 2022 16:56 UTC (Tue) by Jandar (subscriber, #85683) [Link]
And this is why an Android device even with a Linux kernel doesn't provide a very Unix like experience.
If my desktop, laptop or servers would restrict me in the same way as an Android device I would immediately switch the distribution or to something more different like one of the BSDs.
The long road to a fix for CVE-2021-20316
Posted Feb 15, 2022 16:07 UTC (Tue)
by Wol (subscriber, #4433)
[Link] (12 responses)
Posted Feb 15, 2022 16:07 UTC (Tue) by Wol (subscriber, #4433) [Link] (12 responses)
What's so "killer feature" about them?
Coming from OSs that didn't have symlinks, I don't use them. I do make use of hard links, mostly to provide multiple links to semi-archive material (and also to protect against accidental deletion, which symlinks don't). So what ARE the advantages?
Cheers,
Wol
The long road to a fix for CVE-2021-20316
Posted Feb 15, 2022 17:44 UTC (Tue)
by nybble41 (subscriber, #55106)
[Link] (11 responses)
Posted Feb 15, 2022 17:44 UTC (Tue) by nybble41 (subscriber, #55106) [Link] (11 responses)
* You can symlink across filesystems, but hard links only work within filesystems.
* If a file is deleted and replaced (i.e. the ubiquitous "atomic rename" pattern) this breaks hard links, but not symlinks.
* Symlinks can point to directories, while hard links to directories are either disallowed altogether or heavily restricted.
* Symlinks interact better with filesystem quotas. If you can create a hard link to a file owned by another user in a location they can't access, and the original path is later deleted, then you can cause that part of their quota to be permanently inaccessible to them. (Alternatively, the system can disallow hard links to other user's files—in which case the advantage of symlinks is not having this restriction.)
* You can read a symlink to determine where it goes, but with hard links you only have an inode number.
* Directory entries accessed through symlinks have canonical paths, but hard-linked inodes have multiple, equally authoritative, paths.
> Coming from OSs that didn't have symlinks, I don't use them.
Which OS do you use that doesn't have symlinks? Not Linux, or MacOS, or Windows… though symlinks in Windows are a bit different, it does have them. You create them with the "mklink" command. They aren't strictly limited to administrator accounts either; that's just a default setting. The biggest difference is that Windows distinguishes between symlinks to files and symlinks to directories. It also has "junction points" which work much like symlinks (but only for directories). Also let's not forget "shortcuts" (*.lnk files), which are basically symlinks implemented somewhat inconsistently at a layer above the kernel. These have been around since Windows ran under DOS.
The long road to a fix for CVE-2021-20316
Posted Feb 15, 2022 19:24 UTC (Tue)
by jra (subscriber, #55261)
[Link] (2 responses)
Posted Feb 15, 2022 19:24 UTC (Tue) by jra (subscriber, #55261) [Link] (2 responses)
After enough years, I'm convinced they were a foundational mistake in POSIX. We need to move past them and stop this mistake from being repeated. More in my SambaXP talk :-).
The long road to a fix for CVE-2021-20316
Posted Feb 15, 2022 20:13 UTC (Tue)
by Cyberax (✭ supporter ✭, #52523)
[Link] (1 responses)
Posted Feb 15, 2022 20:13 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)
The long road to a fix for CVE-2021-20316
Posted Feb 16, 2022 18:55 UTC (Wed)
by jra (subscriber, #55261)
[Link]
Posted Feb 16, 2022 18:55 UTC (Wed) by jra (subscriber, #55261) [Link]
They actually change the view of the filesystem hierarchy in a way that symlinks don't. Symlinks are a point attack that can modify a specific path quickly and easily to anywhere on the filesystem if allowed or exposed over a network filesystem. IMHO they are much more dangerous.
The long road to a fix for CVE-2021-20316
Posted Feb 15, 2022 19:45 UTC (Tue)
by Wol (subscriber, #4433)
[Link] (3 responses)
Posted Feb 15, 2022 19:45 UTC (Tue) by Wol (subscriber, #4433) [Link] (3 responses)
DID I use ... they pre-date linux, MacOS and Windows ...
A Multics-derivative called Pr1mos, various DOSes (I don't think I used CP/M ...) (and I don't mean MS-DOS and derivatives ...)
There used to be a world with many different OSes, not just the three behemoths we have now.
Cheers,
Wol
The long road to a fix for CVE-2021-20316
Posted Feb 16, 2022 15:06 UTC (Wed)
by foom (subscriber, #14868)
[Link] (2 responses)
Posted Feb 16, 2022 15:06 UTC (Wed) by foom (subscriber, #14868) [Link] (2 responses)
This allows them to be less fragile -- they store multiple ways of finding the original file, so it can still be used even in case the target has been moved or renamed. They can also do things like display a gui prompt to ask the user to insert the appropriate floppy disk which contains the target file, or automatically mount the proper remote volume.
However, the downside is that they are not functional for command-line/cross platform programs, which don't use alias-aware file access apis.
The long road to a fix for CVE-2021-20316
Posted Feb 17, 2022 12:52 UTC (Thu)
by khim (subscriber, #9252)
[Link] (1 responses)
> However, the downside is that they are not functional for command-line/cross platform programs, which don't use alias-aware file access apis.
Posted Feb 17, 2022 12:52 UTC (Thu) by khim (subscriber, #9252) [Link] (1 responses)
But classic MacOS had no support for command-line apps which solved that problem.
The long road to a fix for CVE-2021-20316
Posted Feb 19, 2022 21:56 UTC (Sat)
by foom (subscriber, #14868)
[Link]
Posted Feb 19, 2022 21:56 UTC (Sat) by foom (subscriber, #14868) [Link]
(Of course modern macos does have both command line POSIX apps and aliases)
The long road to a fix for CVE-2021-20316
Posted Feb 16, 2022 14:22 UTC (Wed)
by mathstuf (subscriber, #69389)
[Link] (1 responses)
Posted Feb 16, 2022 14:22 UTC (Wed) by mathstuf (subscriber, #69389) [Link] (1 responses)
Some programs still break symlinks because they operate on the pathname, not the result of following the symlink (basically, they replace the symlink instead of replacing the destination file).
The long road to a fix for CVE-2021-20316
Posted Feb 17, 2022 14:43 UTC (Thu)
by Karellen (subscriber, #67644)
[Link]
I think the parent commenter was referring to the case where you have a symlink somewhere pointing to /foo/bar, and /foo/bar is replaced through its canonical path, rather than through the symlink. In that case, the symlink (wherever it is) remains pointing at the new /foo/bar
Posted Feb 17, 2022 14:43 UTC (Thu) by Karellen (subscriber, #67644) [Link]
The long road to a fix for CVE-2021-20316
Posted Feb 23, 2022 12:11 UTC (Wed)
by anton (subscriber, #25547)
[Link] (1 responses)
Posted Feb 23, 2022 12:11 UTC (Wed) by anton (subscriber, #25547) [Link] (1 responses)
* Symlinks interact better with filesystem quotas. If you can create a hard link to a file owned by another user in a location they can't access, and the original path is later deleted, then you can cause that part of their quota to be permanently inaccessible to them. (Alternatively, the system can disallow hard links to other user's files—in which case the advantage of symlinks is not having this restriction.)Given that ownership (and pretty much all other metadata) is stored with the inode, and a hard link is just another reference to the same inode, it's impossible to create a hard link with different ownership (or other metadata) than the original. On some file systems you can create a reflink (new inode, shared data); I don't know how these file systems implement the quota in this case, but IMO the way to handle this is to blame the cost of the file in full on all users (i.e., as in a regular copy).
[/tmp:128248] ls -l foo -rw-r--r-- 1 root root 4 Feb 23 12:56 foo [/tmp:128249] ln foo bar ln: failed to create hard link 'bar' => 'foo': Operation not permitted [/tmp:128251] cp --reflink foo bar [/tmp:128252] ls -l bar -rw-r--r-- 1 anton users 4 Feb 23 12:57 bar
The long road to a fix for CVE-2021-20316
Posted Feb 23, 2022 19:37 UTC (Wed)
by nybble41 (subscriber, #55106)
[Link]
Posted Feb 23, 2022 19:37 UTC (Wed) by nybble41 (subscriber, #55106) [Link]
Yes, but you can create a hardlink to a file you don't own in a location which the owner of the hardlinked inode can't access. If they later lose their own path to the inode (by unlinking it, for example) then the inode continues to exist, because of the hardlink, and thus continues to count against their quota, but they have no way to remove it.