|
|
Subscribe / Log in / New account

The long road to a fix for CVE-2021-20316

By Jonathan Corbet
February 10, 2022
Well-maintained free-software projects usually make a point of quickly fixing known security problems, and the Samba project, which provides interoperability between Windows and Unix systems, is no exception. So it is natural to wonder why the fix for CVE-2021-20316, a symbolic-link vulnerability, was well over two years in coming. Sometimes, a security bug can be fixed with a simple tweak to the code. Other times, the fix requires a massive rewrite of much of a projects's internal code. This particular vulnerability fell firmly into the latter category, necessitating a public rewrite of Samba's virtual filesystem (VFS) layer to address a non-disclosed vulnerability.

The story starts with a bug report from Michael Hanselmann in May 2019. When an SMB client instructs the server to create a new directory, the server must carry out a number of checks to ensure that the client is entitled to do that. Among other things, the server makes sure that the requested directory actually lies within the exported SMB share rather than being at some arbitrary location elsewhere in the server's filesystem. Unfortunately, there is inevitably a window between when the server performs the check and when it actually creates the directory. If a malicious user is able to replace a component in the path for the new directory with a symbolic link during that window, Samba will happily follow the link and make the directory in the wrong place, with results that are generally seen as distasteful by anybody but an attacker.

This is a classic time-of-check/time-of-use (TOCTOU) vulnerability, of the sort that symbolic links have become notorious for. It is also a hard one to fix, especially for a system like Samba, where portability is an important concern. There is no easy, cross-platform way to query the attributes of a path in the filesystem and safely act on the result, secure in the knowledge that a malicious actor cannot change things in the middle. Still, something clearly needed to be done, so Samba developer Jeremy Allison jumped in to write a fix. The CVE number CVE-2019-10151 was duly assigned to this problem.

The real problem

The hope was to come up with a quick solution but, from the outset, Allison identified the real problem: the use of path names to interact with the server-side filesystem. Every time that a path is passed to the kernel, the process of walking through it must be carried out anew; any user who can make that process arrive in different places at different times (through carefully timed use of symbolic links, for example) could use that ability to confuse the server. The good news is that there is another way that doesn't rely on unchanging paths.

Over the years, the kernel has gained a set of system calls that operate on file handles (open file descriptors) rather than path names. A carefully written server can, for example, use openat2() to create a file descriptor for a directory of interest, do its checks to ensure that the directory is what is expected, then use mkdirat() to create a subdirectory that cannot be redirected to the wrong place. Properly used, these system calls remove the TOCTOU race from this kind of operation, but they only work if they are being used — and Samba's use of them in 2019 was limited. At the time, Allison remarked: "Ultimately we need to modify the VFS to use the syscallAT() variants of all the system calls, but that's a VFS rewrite we will have to schedule for another day".

Over a month or so of attempts to close the vulnerability (and other symbolic-link issues that arose once people started looking for them), it became increasingly clear that "another day" was coming sooner than anybody had thought. By mid-July 2019, Allison seemed resigned to the big rewrite: "This is going to be a long slog, re-writing the pathname processing in the server". There was a complication, though: while this slog was underway, the vulnerability would remain unfixed and undisclosed. So how would all of this work be explained to anybody else who was watching the Samba project's work? According to Allison:

We need to rewrite the fileserver to [make] arbitrary symlink race change safe on all pathname operations. This is too large to do in private, so I'm doing this in public under the guise of "modernising the VFS to use handle-based operations" (without saying explicitly *why* I'm doing so).

There were a few other aspects of this project — beyond the need to hide its real purpose — that made it hard. One of those is that version 1 of the SMB protocol (SMB1) is path-name-based at its core, making it almost impossible for the server to use anything else. The abrupt deprecation of SMB1 in the Samba 4.11 release in September 2019 was partially driven by this problem.

The SMB2 protocol, instead, is based heavily on file handles, which should make it easier for the server implementation to work the same way. But Samba is an old program with a lot of history, so many of the internal interfaces were still using path names, even when a file handle was readily available. This includes the VFS interface that is used to talk with modules for specific host filesystems, add functionality like virus scanning, and more. Changing all of those internal APIs was a large job that would touch much of the code in the Samba server.

Thousands of changes

During the next two years, Allison would contribute 1,638 commits to the Samba repository — 17% of the total over that period. Not all of those were aimed at the VFS rewrite, but most of them were. And Allison was not alone; Ralph Böhme (1,261 commits), Noel Power (438) and Samuel Cabrero (251) also contributed heavily to this project. "Modernizing" the Samba VFS took up much of the project's attention while remaining mostly under the radar for anybody who was unaware of the real problem.

Böhme presented this work at the 2021 SambaXP event (video, slides) without ever mentioning the (still urgent) security problem that was driving it. The talk gets into a lot of the details of what needed to be done and how various problems were solved on Linux; it is recommended viewing for anybody who wants to dig deeper. There is also some information on the Samba wiki.

In July 2021, Allison declared victory:

With the master commit e168a95c1bb1928cf206baf6d2db851c85f65fa9, I believe all race conditions on meta-data are now fixed in the default paths. The async DOS attribute read still uses path-based getxattr, and some of the VFS modules are not symlink safe, but out of the box Samba I believe will no longer be vulnerable to this in 4.15.0.

Since then, the remaining path-based extended-attribute calls have been fixed as well. Of course, there were a few details to deal with yet, including the fact that the original CVE number had expired due to not being updated for too long. That necessitated the assignment of a new number, which is why this vulnerability is known as CVE-2021-43566. The work did show up as expected in the Samba 4.15.0 release in September 2021 — more than two years after the initial vulnerability report.

In the vulnerability disclosure, the Samba project described the situation this way:

A two and a half year effort was undertaken to completely re-write the Samba VFS layer to stop use of pathname-based calls in all cases involving reading and writing of metadata returned to the client. This work has finally been completed in Samba 4.15.0. [...]

As all operations are now done on an open handle we believe that any further symlink race conditions have been completely eliminated in Samba 4.15.0 and all future versions of Samba.

The disclosure also notes that, due to the massive nature of the rewrite, it will not be possible to fix this vulnerability in earlier Samba releases.

In the end, the Samba project was able to get this vulnerability fixed before word of the problem spread, and before any known exploits took place. But it was a bit of a gamble; attackers tend to keep an eye on the repositories of interesting projects in the hope of noticing patches addressing undisclosed vulnerabilities. It is hard not to draw comparisons with the events leading up to the disclosure of Meltdown and Spectre, both of which also required massive changes to address an undisclosed vulnerability. But, unlike the developers working on Spectre, the Samba developers found a way to do their work in public, ensuring that all patches were properly reviewed and minimizing the problems that had to be addressed after disclosure of the problem.

The gamble appears to have paid off, though things could have gone differently. Since then, Allison has been making the point that symbolic links are dangerous in general, and that other projects almost certainly have similar problems. He has a talk planned for SambaXP later this year that, presumably, will be more forthcoming than Böhme's 2021 presentation. Samba users (those who have updated, at least) are hopefully immune to symbolic-link attacks, but that is probably not true of many other systems that we depend on.

(Thanks to Jeremy Allison for answering questions and performing technical review on a draft of this article.)

Index entries for this article
SecuritySamba


to post comments

The long road to a fix for CVE-2021-20316

Posted Feb 10, 2022 20:53 UTC (Thu) by calumapplepie (guest, #143655) [Link] (24 responses)

Should we add a new flag O_NOFOLLOW_LIKE_EVER to open() and friends which says "I promise no symlinks are included on this path and it is absolute"? It'd probably be a lot simpler to patch the "check" function to also modify the path to be absolute and without symlinks than to rework every function to work with file descriptors instead of file names. The kernel can presumably preform the check without fear of TOCTOU, tossing back a nice error.

Obviously, it's a bit late, and there are probably a long list of very good reasons that people haven't already done this. But I think this is a bug that will keep appearing time and time again, and making it an easy fix for developers will hopefully mitigate it a lot.

The long road to a fix for CVE-2021-20316

Posted Feb 10, 2022 21:30 UTC (Thu) by jra (subscriber, #55261) [Link] (21 responses)

It's not the openXXX() that's the problem. It's everything else too. Everything that takes a path (and there are many such calls in POSIX) is broken w.r.t symlinks and security unless application developers are insanely careful. No one ever is.

The long road to a fix for CVE-2021-20316

Posted Feb 10, 2022 21:37 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (8 responses)

The heart of the issue are processes working at different permission levels and sharing the same namespace. This simply can't be made secure.

Future OSes should reject the ACL and permission nonsense and instead move to true container-like isolation.

The long road to a fix for CVE-2021-20316

Posted Feb 10, 2022 22:13 UTC (Thu) by jra (subscriber, #55261) [Link] (3 responses)

Again, I fully agree with you about that. There's a project being lead by Red Hat to help containerize Sba which I'm hoping will bear fruit soon.

The long road to a fix for CVE-2021-20316

Posted Feb 10, 2022 22:14 UTC (Thu) by jra (subscriber, #55261) [Link] (1 responses)

Damn phone keyboard. For Sba read Samba of course.

The long road to a fix for CVE-2021-20316

Posted Feb 10, 2022 23:52 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

LOL.

I actually Googled "Sba RedHat" and just was going to ask what it is.

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 15:59 UTC (Fri) by phlogistonjohn (subscriber, #81085) [Link]

For the curious, I believe the projects Jeremy is referring to are our efforts here:
https://github.com/samba-in-kubernetes/samba-container/
and the related projects in our org https://github.com/samba-in-kubernetes/

Note that despite the name "kubernetes" in the org, the container images are designed not to be k8s
specific. I'd love to see other uses of the container images for docker/docker-compose, podman, etc. The name was partly chosen because we do have other k8s specific integration plans... and we could abbreviate it as "SINK" ;-)
Thank you for the opportunity for a bit of free advertising.

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 10:10 UTC (Fri) by taladar (subscriber, #68407) [Link] (3 responses)

Containers wouldn't really help you with servers like Samba that need to allow for different permissions for different remote users. Nor would they help for permission changes over time. In fact I would go so far as to say containers wouldn't help you with this sort of issue at all.

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 13:30 UTC (Fri) by joib (subscriber, #8541) [Link] (2 responses)

Just putting samba, as is, into a docker/podman/whatever container with full permissions won't fix anything, yes.

But maybe something like when a new user connects, fork a new process to handle that user, create appropriately restricted namespaces for that process (call it a "container" if you like), and finally switch the process uid to that user?

The long road to a fix for CVE-2021-20316

Posted Feb 13, 2022 16:53 UTC (Sun) by marcH (subscriber, #57642) [Link]

The long road to a fix for CVE-2021-20316

Posted Feb 16, 2022 19:24 UTC (Wed) by ssmith32 (subscriber, #72404) [Link]

You'd still need to deal with giving multiple users different levels of access (r/w, at least), to the same file/directory. But it would help with the directory escape bugs.

The long road to a fix for CVE-2021-20316

Posted Feb 10, 2022 23:51 UTC (Thu) by nix (subscriber, #2304) [Link] (10 responses)

I thought of something a few hours ago, but commented on it in the wrong article... so maybe here it'll be more noticeable. (And I got a chance to elaborate a bit more...)

An alternative approach that breaks much less, probably nothing, while retaining the security benefits of root-only symlinks: non-root-owned symlinks (or, more generally, symlinks with uids not specified in a new file under /proc/sys somewhere: root only by default) are only followed by the user that owns them: other users get the effect of O_NOFOLLOW on that symlink without needing to ask for it.

Now hostile users can create all the symlinks they want, as can non-hostile users, and the use case the non-hostile users wanted still works (they can follow symlinks they created, and symlinks the sysadmin or package installer created), while the hostile users find that they are following the hostile symlinks they created, but nobody else is. This obviously should apply at all stages in path resolution, including if a path contains a symlink to a directory. (I don't think we need to worry about races involving symlink ownership suddenly changing, since only root can do that and if root is malicious you've already lost.)

Anyone still broken by this is probably using gid-shared directories for something, like it was the 1980s still. They're probably using ACLs too. A slightly more permissive mode, off by default or on only in directories with the setgid bit active or perhaps which are gid-writable, could apply the same check based on the gid of the symlink instead of the uid, which would fix this use case too. I'm sceptical this use case is common enough to worry about, though.

But symlink following in the specific case of following symlinks the admin made and symlinks the user themselves made is so useful that it simply shouldn't be broken. It's not some program's decision to not let me stitch things together with symlinks I created: it's mine, and programs should always follow them. Symlinks a random hostile user created, though -- why would I ever want to follow those? And thankfully file ownership tracks this perfectly well so we can always get the answer right :)

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 0:18 UTC (Fri) by rgmoore (✭ supporter ✭, #75) [Link] (2 responses)

While this is an interesting idea, I think it will likely be a non-starter because it changes long-established behavior. There will be things that break because of this, and "don't break userspace" is an important enough principle that it will not fly.

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 14:27 UTC (Fri) by nix (subscriber, #2304) [Link]

Well, that's why the whole thing is optional (controlled via a flag in /proc/sys/fs). There are *already* flags in /proc/sys/fs that tweak symlink behaviours: this is just another one. (Actually, this is just a variant of what protected_symlinks == 1 already provides. I'm not sure why that's not enough.)

The long road to a fix for CVE-2021-20316

Posted Feb 12, 2022 2:55 UTC (Sat) by bartoc (subscriber, #124262) [Link]

Generally, I think linux is fine adding in (usually default to off) options that break userspace in the name of security (I could be wrong). I think something like this is worth trying out at least to see how much stuff breaks, given it could remove a whole class of toctou bugs.

My userspace was just broken by lack of `/dev/mem` on my fedora box (I was trying to fetch the EDID of my display)

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 0:53 UTC (Fri) by mathstuf (subscriber, #69389) [Link] (3 responses)

Wouldn't this make analysis harder? That is, would root follow arbitrary symlinks? If so, all root processes are now vulnerable to these issues. If not, manual readlinks are needed to figure out where some path that was logged actually exists. And once those routines exist, they'll show up in all kinds of compat or convenience wrappers, have bugs themselves, and probably just put us back to where we started except now there'd be umpteen symlink resolution impls to check and maintain.

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 12:50 UTC (Fri) by ibukanov (guest, #3942) [Link]

I suppose with idea root will follow only root-crated symlinks.

The long road to a fix for CVE-2021-20316

Posted Feb 13, 2022 18:23 UTC (Sun) by khim (subscriber, #9252) [Link] (1 responses)

> Wouldn't this make analysis harder? That is, would root follow arbitrary symlinks?

Root would follow only root-created symlinks. Everyone else would also follow root-created symlinks. Everyone else would just follow their own symlinks.

It's actually interesting idea. Would need to see how many packages would break, but this wouldn't effect things like git (people rarely use unix permissions in the middle of git repos) while most distro-provided system symlinks would work.

I think there are some container solutions which use per-app UID (like on Android), would need to decide what to do about these.

The long road to a fix for CVE-2021-20316

Posted Feb 13, 2022 19:02 UTC (Sun) by mjg59 (subscriber, #23239) [Link]

Hm. I wonder how viable it would be to implement this using the BPF LSM?

The long road to a fix for CVE-2021-20316

Posted Feb 16, 2022 8:59 UTC (Wed) by pmatilai (subscriber, #15420) [Link] (2 responses)

Yup, that is exactly the approach rpm started taking internally since 2017: https://github.com/rpm-software-management/rpm/commit/f2d...
I've yet to see it break any legitimate case in the packaging world.

That commit is of course only a tiny fraction (and buggy at that) of the overall problem which we're only just now getting close to resolving it in a wider sense - much like Samba, rpm traditionally used absolute paths for everything.

The long road to a fix for CVE-2021-20316

Posted Feb 18, 2022 1:50 UTC (Fri) by nix (subscriber, #2304) [Link]

Aha! I see there are no new ideas, only ideas someone else already implemented, better :) The 'target directory owner' idea is a nice addition, which could probably be added in to what I thought up above to close even more cases where legitimate use might be broken without enabling any troublesome cases at all.

The long road to a fix for CVE-2021-20316

Posted Feb 18, 2022 17:46 UTC (Fri) by nybble41 (subscriber, #55106) [Link]

> [from the linked commit] The rationale is that if you can create symlinks owned by user X you *are* user X (or root), and if you also own directory Y you can do whatever with it already, including change permissions.

This is a false assumption. The owner of a file or directory can only change permissions or make other changes to it *if they can obtain a reference*. If you own /a/b but don't have search permissions (+x) on /a (and don't have /a/b as your current directory or some similar corner case) then you can't do anything with /a/b. However, under this rule you can still create a symlink to /a/b which would be followed by other users because you own /a/b, even though you can't access it yourself through /a. (The same issue impacts /proc/sys/fs/protected_symlinks=1.)

One option I haven't seen suggested yet would be to use the intersection of the permissions available to the original user and the owner(s) of any symlink(s) followed while resolving the path. Though in practice you might need more information than just the symlink's UID and GID to serve as the credentials, especially when relying on "negative ACLs", pluggable security modules like SELinux, or narrower group permissions overriding, rather than supplementing, broader "other" permissions.

The long road to a fix for CVE-2021-20316

Posted Feb 12, 2022 2:52 UTC (Sat) by bartoc (subscriber, #124262) [Link]

embracing the AT calls is still a good idea imo, there have been windows apps with toctou bugs that would have been fixed with a proper openat equivalent, and windows requires administrator ACLs to create symlinks (for exactly this reason)

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 9:27 UTC (Fri) by NYKevin (subscriber, #129325) [Link]

For open, this already exists, see RESOLVE_NO_SYMLINKS in openat2(2). The problem is, nobody uses it (which is not helped by the fact that the man page specifically tells you not to use it, or at least to let the user turn it off and shoot themself in the foot). Besides, there are plenty of APIs which do not (and for some use cases, probably cannot) accept a file descriptor as an argument.

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 9:43 UTC (Fri) by dullfire (guest, #111432) [Link]

The addition of such a flag, and then telling people to use it as a fix for TOCTOU races with symlinks would effectively be telling them to drop support for symlinks in those programs.

Which would be a massive regression.

The long road to a fix for CVE-2021-20316

Posted Feb 10, 2022 23:53 UTC (Thu) by xecycle (subscriber, #140261) [Link] (4 responses)

I wonder how did the “LTS” distros respond? That said it’s hard to fix in old versions, seems it would be another slog for packagers who decide to backport all fixes. Or did they simply push a new version?

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 0:27 UTC (Fri) by LtWorf (subscriber, #124958) [Link]

At this point they can either push the new version or just drop it from the repository. No other alternative

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 7:43 UTC (Fri) by pbonzini (subscriber, #60935) [Link]

They will either leave it unpatched (certainly in patch updates, possibly in minor releases too) or switch to a new version. It happens rarely, but sometimes there just isn't a choice.

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 9:31 UTC (Fri) by NYKevin (subscriber, #129325) [Link]

Technically, it depends on your threat model. If you know that attackers cannot create symlinks (for example, because you've patched Samba to disallow this operation, and you don't give untrusted users local shell access), then in principle there is no security hole. But I doubt that distros can make that kind of guarantee with respect to end user deployments.

Nevertheless, if you're an IT department deploying Samba on e.g. a NAS, you probably *can* make that sort of guarantee. I'm not saying this is a good idea, however.

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 15:16 UTC (Fri) by tialaramex (subscriber, #21167) [Link]

Sometimes, this happens to operating systems and you suck it up.

Windows NT 4 was known to be broken. IIRC some of its system calls (syscalls aren't *supposed* to be ABI compatibility points in Windows, but in practice if enough people rely on one then Microsoft can't change it) were just inherently insecure as with the old path based calls Samba is using here, there was no way to fix them without a rewrite of the relevant OS components and potentially breaking all the affected software.

If you went to Microsoft and said, "Look, this important security stuff is broken in NT4, where's a fix?" their answer was "Windows 2000". Is that a free upgrade? Nope, tough. If you want the important security fixes, buy the new operating system.

Life is like that. The people who own the building where I live discovered that their fire insulation wasn't up to specification in some voids, so they spent a pile of money fixing it and it came out of normal operating funds (thus paid for by home owners like me). But after Grenfell, lots of people in tall buildings found out that the entire outer layer of their building was a fire hazard and the consequence was their homes became unsaleable and (unless Government decides to step in and fix it or force the builders to fix it, which they still haven't many years later) they would need to spend far more money than they have to solve the problem and be able to sell their home. Ouch.

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 15:17 UTC (Fri) by Paf (subscriber, #91811) [Link] (2 responses)

“ Unfortunately, there is inevitably a window between when the server performs the check and when it actually creates the directory.”

There doesn’t have to be, or at least not this kind…. Having a separate *path navigation* for security check and for the operation is … wow. You do a security oriented lookup on the entity (in this case the parent), checking permissions as you go, then you have the entity. You then just use it. That the path is processed twice is … loopy and obviously a huge problem.

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 15:23 UTC (Fri) by Paf (subscriber, #91811) [Link] (1 responses)

Having read more carefully, I can see the history here that leads to this, but I doubt many other *file systems* share this vulnerability. But processing a *path* more than once during what should be an atomic operation makes the operation obviously and deeply non-atomic. It’s also going to be less efficient, possibly a lot less. Other projects probably have issues with symlinks, but my guess is not many file systems will.

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 17:45 UTC (Fri) by jra (subscriber, #55261) [Link]

It's not file systems. It's applications. Or even system libraries. Most of them are just not symlink-safe. Some of the ones I know about are system *security* libraries. It's a big mess.

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 16:39 UTC (Fri) by ldearquer (guest, #137451) [Link] (4 responses)

>> the server makes sure that the requested directory actually lies within the exported SMB share rather than being at some arbitrary location elsewhere in the server's filesystem

But why do Samba servers have write access to any locations other than the SMB share in the first place? Or is this for cases where SMB share == the whole filesystem?

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 17:47 UTC (Fri) by jra (subscriber, #55261) [Link] (3 responses)

Samba (smbd) is just an application running on Linux. By default it can access anywhere on the filesystem the logged on user has access to. The point of Samba is to designate a small area of the filesystem (e.g. /data/exported/for/group) and ensure that *no* access outside oe the path "/data/exported/for/group" or sub-directories below it is ever possible.

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 18:00 UTC (Fri) by NYKevin (subscriber, #129325) [Link] (2 responses)

Can you at least stick the Samba process in a container (or maybe a chroot) so that it can't get to random other paths?

The long road to a fix for CVE-2021-20316

Posted Feb 11, 2022 18:43 UTC (Fri) by jra (subscriber, #55261) [Link] (1 responses)

We did explore a chroot solution. Problem is there are many restrictions on that which make it impossible to use with Samba without a complete rewrite. Rewriting the VFS was an easier task, believe me :-).

The long road to a fix for CVE-2021-20316

Posted Feb 12, 2022 0:20 UTC (Sat) by gerdesj (subscriber, #5446) [Link]

Samba is an amazing piece of kit. Your user base is *cough* technically varied in its skill set. It is expected to dance on a shitty old NAS with wheezing discs to the latest bleeding edge SAN as a side trick and all things in between. The expectations of those users is broader than the smile on a croc that has discovered a zebra nursery ... must work on that analogy - a bit brutal.

I can remember testing out Ben Greer's smart new VLAN code in the kernel to get a set of smbd and nmbds running on a fairly large network to get a browse list together. This is me a few years back: https://lwn.net/Articles/75489/ whittering on about it.

Samba makes CIFS/SMB work in ways that MS has never even imagined. That's the thing - imagination. Samba is imaginative where the MS option is rather staid and boring.

Now if it was possible to get ACLs to work like NetWare nwfs/nss ie dynamically calculated on the fly, that would be quite handy.

Anyway, cheers Jez. That was a lot of work fixing things up. Thank you.

The long road to a fix for CVE-2021-20316

Posted Feb 12, 2022 8:53 UTC (Sat) by cozzyd (guest, #110972) [Link]

Did SELinux mitigate this issue? Not sure hownit handles Samba.

The long road to a fix for CVE-2021-20316

Posted Feb 13, 2022 19:40 UTC (Sun) by metalheart (guest, #89328) [Link] (20 responses)

What is the use-case to support symbolic links on Windows file sharing?
From my past experience it makes changes in organizational structure easier to implement on file server directory structure (you do not need to copy data from one share to another). What else?

The long road to a fix for CVE-2021-20316

Posted Feb 14, 2022 8:07 UTC (Mon) by eru (subscriber, #2753) [Link] (19 responses)

Symlinks may be problematic, but IMHO they are also one of the killer features Linux (and relatives) have over that other OS.

The long road to a fix for CVE-2021-20316

Posted Feb 14, 2022 17:32 UTC (Mon) by jra (subscriber, #55261) [Link] (5 responses)

No, they aren't anymore. Windows has admin-only created symlinks. The key difference is only root can create them.

The long road to a fix for CVE-2021-20316

Posted Feb 15, 2022 12:18 UTC (Tue) by eru (subscriber, #2753) [Link] (1 responses)

The Windows symlink-like feature is hard to use, and last I tried it, it was nearly undocumented (admittedly that was several years ago when I needed it). On the Windows command line, there was no equivalent to "ln -s". They might as well not exist, for all the good they do there. Maybe Windows uses them internally for something, but no end-user does.

The long road to a fix for CVE-2021-20316

Posted Feb 15, 2022 14:09 UTC (Tue) by rahulsundaram (subscriber, #21946) [Link]

> On the Windows command line, there was no equivalent to "ln -s". They might as well not exist, for all the good they do there. Maybe Windows uses them internally for something, but no end-user does.

Your info is heavily outdated. It is well supported and well documented these days.

https://docs.microsoft.com/en-us/windows-server/administr...

The long road to a fix for CVE-2021-20316

Posted Feb 19, 2022 17:10 UTC (Sat) by Jandar (subscriber, #85683) [Link] (2 responses)

> Windows has admin-only created symlinks.

Marvelous, a kind of symlink a user can't use. What comes next, only admin approved (*) programs can create executables? Doubtless it would be a security enhancement if no executable memory-mapping could contain bytes generated by an arbitrary program.

Most symlinks I use or encounter are made by users within their own directories pointing into other parts of their own space.

* The mainframe I used at university had such a concept. IIRC only an admin at the console could set the compiler-permission.

The long road to a fix for CVE-2021-20316

Posted Feb 21, 2022 0:38 UTC (Mon) by Fowl (subscriber, #65667) [Link] (1 responses)

Well, yeah. This is how many corporate managed devices, and all iOS and Android devices work.

The long road to a fix for CVE-2021-20316

Posted Feb 22, 2022 16:56 UTC (Tue) by Jandar (subscriber, #85683) [Link]

> This is how many corporate managed devices, and all iOS and Android devices work.

And this is why an Android device even with a Linux kernel doesn't provide a very Unix like experience.

If my desktop, laptop or servers would restrict me in the same way as an Android device I would immediately switch the distribution or to something more different like one of the BSDs.

The long road to a fix for CVE-2021-20316

Posted Feb 15, 2022 16:07 UTC (Tue) by Wol (subscriber, #4433) [Link] (12 responses)

> they are also one of the killer features

What's so "killer feature" about them?

Coming from OSs that didn't have symlinks, I don't use them. I do make use of hard links, mostly to provide multiple links to semi-archive material (and also to protect against accidental deletion, which symlinks don't). So what ARE the advantages?

Cheers,
Wol

The long road to a fix for CVE-2021-20316

Posted Feb 15, 2022 17:44 UTC (Tue) by nybble41 (subscriber, #55106) [Link] (11 responses)

> So what ARE the advantages?

* You can symlink across filesystems, but hard links only work within filesystems.

* If a file is deleted and replaced (i.e. the ubiquitous "atomic rename" pattern) this breaks hard links, but not symlinks.

* Symlinks can point to directories, while hard links to directories are either disallowed altogether or heavily restricted.

* Symlinks interact better with filesystem quotas. If you can create a hard link to a file owned by another user in a location they can't access, and the original path is later deleted, then you can cause that part of their quota to be permanently inaccessible to them. (Alternatively, the system can disallow hard links to other user's files—in which case the advantage of symlinks is not having this restriction.)

* You can read a symlink to determine where it goes, but with hard links you only have an inode number.

* Directory entries accessed through symlinks have canonical paths, but hard-linked inodes have multiple, equally authoritative, paths.

> Coming from OSs that didn't have symlinks, I don't use them.

Which OS do you use that doesn't have symlinks? Not Linux, or MacOS, or Windows… though symlinks in Windows are a bit different, it does have them. You create them with the "mklink" command. They aren't strictly limited to administrator accounts either; that's just a default setting. The biggest difference is that Windows distinguishes between symlinks to files and symlinks to directories. It also has "junction points" which work much like symlinks (but only for directories). Also let's not forget "shortcuts" (*.lnk files), which are basically symlinks implemented somewhat inconsistently at a layer above the kernel. These have been around since Windows ran under DOS.

The long road to a fix for CVE-2021-20316

Posted Feb 15, 2022 19:24 UTC (Tue) by jra (subscriber, #55261) [Link] (2 responses)

Symlinks are seductive. They provide all the benefits you enumerate, but at the cost of completely destroying application security when working with pathnames. They took the beautiful POSIX API of a directory tree structure and turned it into a graph.

After enough years, I'm convinced they were a foundational mistake in POSIX. We need to move past them and stop this mistake from being repeated. More in my SambaXP talk :-).

The long road to a fix for CVE-2021-20316

Posted Feb 15, 2022 20:13 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

You can transform the tree into a graph using bind mounts. So arguably it's the POSIX API that is not beautiful.

The long road to a fix for CVE-2021-20316

Posted Feb 16, 2022 18:55 UTC (Wed) by jra (subscriber, #55261) [Link]

Bind mounts are an interesting case. They're much newer than symlinks, and the security implications of allowing any user to perform them are not yet well explored. But they are a separate user-initiated operation which is not normally exposed over network filesystems, making them really a local-only attack.

They actually change the view of the filesystem hierarchy in a way that symlinks don't. Symlinks are a point attack that can modify a specific path quickly and easily to anywhere on the filesystem if allowed or exposed over a network filesystem. IMHO they are much more dangerous.

The long road to a fix for CVE-2021-20316

Posted Feb 15, 2022 19:45 UTC (Tue) by Wol (subscriber, #4433) [Link] (3 responses)

> Which OS do you use that doesn't have symlinks?

DID I use ... they pre-date linux, MacOS and Windows ...

A Multics-derivative called Pr1mos, various DOSes (I don't think I used CP/M ...) (and I don't mean MS-DOS and derivatives ...)

There used to be a world with many different OSes, not just the three behemoths we have now.

Cheers,
Wol

The long road to a fix for CVE-2021-20316

Posted Feb 16, 2022 15:06 UTC (Wed) by foom (subscriber, #14868) [Link] (2 responses)

Classic macos didn't have symlinks either. It did have "aliases", but those were (and are -- they still exist in modern macos, alongside symlinks and hardlinks and copy-on-write copies..) more akin to windows lnk files, as they're resolved at a higher level than basic filesystem traversal.

This allows them to be less fragile -- they store multiple ways of finding the original file, so it can still be used even in case the target has been moved or renamed. They can also do things like display a gui prompt to ask the user to insert the appropriate floppy disk which contains the target file, or automatically mount the proper remote volume.

However, the downside is that they are not functional for command-line/cross platform programs, which don't use alias-aware file access apis.

The long road to a fix for CVE-2021-20316

Posted Feb 17, 2022 12:52 UTC (Thu) by khim (subscriber, #9252) [Link] (1 responses)

> However, the downside is that they are not functional for command-line/cross platform programs, which don't use alias-aware file access apis.

But classic MacOS had no support for command-line apps which solved that problem.

The long road to a fix for CVE-2021-20316

Posted Feb 19, 2022 21:56 UTC (Sat) by foom (subscriber, #14868) [Link]

Classic macos did, kinda, have a shell, shell scripts, and command line apps, in MPW (https://en.m.wikipedia.org/wiki/Macintosh_Programmer's_Workshop). But that was just an app, not the fundamental underpinnings of the system.

(Of course modern macos does have both command line POSIX apps and aliases)

The long road to a fix for CVE-2021-20316

Posted Feb 16, 2022 14:22 UTC (Wed) by mathstuf (subscriber, #69389) [Link] (1 responses)

> * If a file is deleted and replaced (i.e. the ubiquitous "atomic rename" pattern) this breaks hard links, but not symlinks.

Some programs still break symlinks because they operate on the pathname, not the result of following the symlink (basically, they replace the symlink instead of replacing the destination file).

The long road to a fix for CVE-2021-20316

Posted Feb 17, 2022 14:43 UTC (Thu) by Karellen (subscriber, #67644) [Link]

I think the parent commenter was referring to the case where you have a symlink somewhere pointing to /foo/bar, and /foo/bar is replaced through its canonical path, rather than through the symlink. In that case, the symlink (wherever it is) remains pointing at the new /foo/bar

The long road to a fix for CVE-2021-20316

Posted Feb 23, 2022 12:11 UTC (Wed) by anton (subscriber, #25547) [Link] (1 responses)

* Symlinks interact better with filesystem quotas. If you can create a hard link to a file owned by another user in a location they can't access, and the original path is later deleted, then you can cause that part of their quota to be permanently inaccessible to them. (Alternatively, the system can disallow hard links to other user's files—in which case the advantage of symlinks is not having this restriction.)
Given that ownership (and pretty much all other metadata) is stored with the inode, and a hard link is just another reference to the same inode, it's impossible to create a hard link with different ownership (or other metadata) than the original. On some file systems you can create a reflink (new inode, shared data); I don't know how these file systems implement the quota in this case, but IMO the way to handle this is to blame the cost of the file in full on all users (i.e., as in a regular copy).
[/tmp:128248] ls -l foo
-rw-r--r-- 1 root root 4 Feb 23 12:56 foo
[/tmp:128249] ln foo bar
ln: failed to create hard link 'bar' => 'foo': Operation not permitted
[/tmp:128251] cp --reflink foo bar
[/tmp:128252] ls -l bar
-rw-r--r-- 1 anton users 4 Feb 23 12:57 bar

The long road to a fix for CVE-2021-20316

Posted Feb 23, 2022 19:37 UTC (Wed) by nybble41 (subscriber, #55106) [Link]

> Given that ownership (and pretty much all other metadata) is stored with the inode, and a hard link is just another reference to the same inode, it's impossible to create a hard link with different ownership (or other metadata) than the original.

Yes, but you can create a hardlink to a file you don't own in a location which the owner of the hardlinked inode can't access. If they later lose their own path to the inode (by unlinking it, for example) then the inode continues to exist, because of the hardlink, and thus continues to count against their quota, but they have no way to remove it.


Copyright © 2022, Eklektix, Inc.
This article may be redistributed under the terms of the Creative Commons CC BY-SA 4.0 license
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy