From nobody Thu Feb 10 08:54:45 2022 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 2C29B19BA8DD for ; Thu, 10 Feb 2022 08:54:49 +0000 (UTC) (envelope-from se@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JvVtd0fMqz4l45; Thu, 10 Feb 2022 08:54:49 +0000 (UTC) (envelope-from se@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1644483289; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=cd3kzyaXGOAk+FAo5jRlI8wdOL9Z9ru2cU6/rQEmEqc=; b=iwbKaKcesQpufYryXoS96LwlfocOdmRNPdMPsH7uB2qzPiwNl+jLnCOi9oOkEQI9yCYATV krt2dVxfGoSrj+/CrHXcl4nhf8Z0N8C5d+0DQey1G/pOuelQok0fUgUg20MLEKrC+5V1HL Rra0kuy8Rw3we3/u4n1OIgMdPxJIPadBJMVBi29ARXSpDMuc94FlcHWYmQfIgZfWWA0+9v d2jcsbnAyIIl8erIU85gGcPzgKGEl50f/fmK/mRDUXQi8zQsFHaNJNjFSz/8K4n3Iq57RK f1DMico2rz9bIWsnp2XKrih9GXfNawckc7M22sQzEzoP279f+8ukHu+6dMvA7g== Received: from [IPV6:2003:cd:5f1f:8f00:51ae:46aa:8393:af10] (p200300cd5f1f8f0051ae46aa8393af10.dip0.t-ipconnect.de [IPv6:2003:cd:5f1f:8f00:51ae:46aa:8393:af10]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: se/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 99ED42D94B; Thu, 10 Feb 2022 08:54:48 +0000 (UTC) (envelope-from se@FreeBSD.org) Message-ID: <9e9426bd-c063-0d26-0694-9c0932f7c63e@FreeBSD.org> Date: Thu, 10 Feb 2022 09:54:45 +0100 List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.6.0 Subject: Re: how to restrict file access below some top directory Content-Language: en-US To: freebsd-hackers@freebsd.org References: From: Stefan Esser In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------AE0voxisgXBGshCCH9j8Z6a3" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1644483289; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=cd3kzyaXGOAk+FAo5jRlI8wdOL9Z9ru2cU6/rQEmEqc=; b=uaQhubfY/NBZRtdkWd3gTJYnZlRfswDOzEb/5P3rxVGabd8oir0EAIpf/aZFleYJx8GXcs ZWPO0+q22Fv1XhATqg7+pibUxBU/glzFDCAqIzSjdXbC2g6aUANjl3atLG6Snw5lry73p3 Tdk7EO6Orf3wV6Vl7cIpKlu9q6OHjMW4SlgOAqZfS0JIgVSMSytHiDYkUt6pDuUVHH+Aqp HxJoKiY8LNuqPB+64ZeaH5YuyqW2Yjafv+k0bB9TqaqXUKZq0n4E0VHWj9B+ARG0KbZu/G vu8dr9ZrLMz9Y8YKng+K75i8fp97xW411TKJGh/+GOM46CrmcNQ7/OzcbHicjQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1644483289; a=rsa-sha256; cv=none; b=NRvrbbMhMcWXI4Tzy+XJ8uAc1LA7rEXnPsahP/hW7egkOIVgpD4t27PqmVZQY+d1YHItk+ E1WZSZeE2qPyzno94rhRSd7UzNfG/VABKtoBBEBTj79UTSTSfu1M8TyydyvwM9dCQebm5x QbdxK2X12FRsxga20+CSdKGTcx/19T1PQq9hkm8QqU/yVzXCNDGSxs4hbMctcXM3H+Dnj5 1FHpwMGp+D1Lln1gtyZ9gCke0RuPtmm4o8KzVZwO5LWLGr9YTgOFHYnuBpyslOTNWjoxOJ w+xGVM7zwXUNHwSD68MXp9KfDMzVPClFNhv1ifuFB2UK1OnlGQ3Ax8g/EpUqhA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------AE0voxisgXBGshCCH9j8Z6a3 Content-Type: multipart/mixed; boundary="------------Rz1doImUc6YJEXGn8fkWtJou"; protected-headers="v1" From: Stefan Esser To: freebsd-hackers@freebsd.org Message-ID: <9e9426bd-c063-0d26-0694-9c0932f7c63e@FreeBSD.org> Subject: Re: how to restrict file access below some top directory References: In-Reply-To: --------------Rz1doImUc6YJEXGn8fkWtJou Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Am 10.02.22 um 09:25 schrieb Matthias Apitz: >=20 > Hello, >=20 > I want restrict in a C- or Perl-written application the file access to > only files below some top directory, say >=20 > /var/spool/dir/ >=20 > and not allowing, for example, access to /var/spool/dir/../../../etc/pa= sswd > Ofc, this could be done easy with chroot(2), but this would require roo= t > permision. Any other ideas? Hi Matthias, how about openat() in combination with capsicum? =46rom the open(4) / openat(4) man-page: In capsicum(4) capability mode, open() is not permitted. The path argument to openat() must be strictly relative to a file descriptor = fd. path must not be an absolute path and must not contain ".." componen= ts which cause the path resolution to escape the directory hierarchy starting at fd. Additionally, no symbolic link in path may target absolute path or contain escaping ".." components. fd must not be AT_FDCWD. If the vfs.lookup_cap_dotdot sysctl(3) MIB is set to zero, ".." components in the paths, used in capability mode, are completely disabled. If the vfs.lookup_cap_dotdot_nonlocal MIB is set to zero,= ".." is not allowed if found on non-local filesystem. Gru=C3=9F, STefan --------------Rz1doImUc6YJEXGn8fkWtJou-- --------------AE0voxisgXBGshCCH9j8Z6a3 Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wsB5BAABCAAjFiEEo3HqZZwL7MgrcVMTR+u171r99UQFAmIE0tUFAwAAAAAACgkQR+u171r99UTx XAf8De+MqeEhs6eGofVd6TwBst6h/MYqwIooA9Z9flUmq5gWQfpJR7pVxv+1DW/J6FjmWuyOZc1M KmK2kM6QFHf4cSlzMhMguoGK9+Cu7HoRRD3aLFhf0V+NqjriPkrmmNsMMFLYlxfFQ5SRrdIvF1wp npsmVCsGn0LQdifXqdeEOfltsD/5g7XhaALAVV5ZrHWYEAx6UCJJM1Z131ZkrLJg5fPYnEsfTXa+ oyV2EjBFm8LmkSyNOXBu5Q2hGKHCqO0duGhEe37FjnffmMK0LG69w56c2A6zuuFrxUbFmYOuZBlX dUYKxaOkiOd6Ns7fStcLZ5Du0ByuJC3qpiHAgYDYLQ== =lmLS -----END PGP SIGNATURE----- --------------AE0voxisgXBGshCCH9j8Z6a3--