[Top] [All Lists]

Re: extended attributes security problem

To: Andi Kleen <ak@xxxxxxx>
Subject: Re: extended attributes security problem
From: Andreas Gruenbacher <ag@xxxxxxxxxxx>
Date: Sun, 7 Apr 2002 17:27:53 +0200 (CEST)
Cc: Ethan Benson <erbenson@xxxxxxxxxx>, <linux-xfs@xxxxxxxxxxx>
In-reply-to: <20020407131619.A13788@xxxxxxxxxxxxx>
Sender: owner-linux-xfs@xxxxxxxxxxx
On Sun, 7 Apr 2002, Andi Kleen wrote:

> On Sat, Apr 06, 2002 at 04:10:40PM -0900, Ethan Benson wrote:
> > On Sat, Apr 06, 2002 at 06:28:42PM +0200, Andreas Gruenbacher wrote:
> > > > 1) some sort of mount options to change xattr semantecs, for example
> > >
> > > This does not address the real problem, and therefore makes no sense.
> >
> > i agree, i was mainly looking for options to let me close this hole as
> > fast as possible.
> I'm proposing this patch. As Andreas pointed out it doesn't make much sense
> to set ACLs on symlinks or special devices. I still allow it for root.

There seems to be some misunderstanding here. I was only talking about
extended attributes in the user namespace in my previous reply to Ethan. I
think that user EA's should be disallowed for symlinks and special files.

Which files shall have ACLs is specified in POSIX 1003.1e draft 17:
Symlinks don't have ACLs; all other files do. We have no security problem
with ACLs.


 Andreas Gruenbacher, a.gruenbacher@xxxxxxxxxxxx
 Contact information: http://www.bestbits.at/~ag/

<Prev in Thread] Current Thread [Next in Thread>