From: Andreas Gruenbacher <ag@bestbits.at> To: <acl-devel@bestbits.at> Subject: [Acl-Devel] Version 0.8.25: Kernel security update; ACL utilities 2.0.5c: setfacl fix Date: Sun, 7 Apr 2002 22:57:30 +0200 (CEST) Hello, Version 0.8.25 of the kernel patches removes extended user attribute support for symbolic links and special files. As explained below, it has turned out that extended user EA's for these types of files are concep- tually broken. This change is classified as a security fix. This change does not affect ACLs in any way. ACLs are still allowed for all files except symbolic links. Version 2.0.5c of the ACL utilities fixes a bug that causes errors resul- ting from setting ACLs with the setfacl utility not to be reported. This bug was introduced only recently. As always, please see the change logs for more detailed descriptions of the changes. RECOMMENTATION TO UPGRADE Since the fixes in the kernel patches are security related, it is recom- mended to upgrade. To avoid that errors when using setfacl go undetected, upgrading the ACL utilities is also recommended. EXTENDED USER EA's FOR SPECIAL FILES AND SYMLINKS In 0.8.21 extended user attribute support for special files and symbolic links has been added, with the idea of removing the remaining semantic differences between the XFS and ext2/ext3 file systems. It has turned out that the permission model for user EA's for these file types is flawed. The original reasoning for disallowing user EA's on special files was that the permissions of special files denote the permissions for accessing the device, rather than the permission for accessing the inode that describes the device. Therefore, the same permissions should not be used to also define access to data associated with the inode. Allowing extended user attributes for special files would grant everybody the right to set extended user attributes on device special files such as /dev/null, for example. This is not the expected behavior. (Since the amount of disk space used for extended user attributes is not limited on XFS file systems, this may even lead to denial of service attacks. Due to the limitations of the ext2/ext3 EA implementations, denial of service attacks are not possible, but the permission model is still broken.) Extended user attributes for symbolic links are broken in a similar way: On ext2/ext3, the permissions of symbolic links are always set to "rwxrwxrwx", so everybody would always have full access to symlink user EA's. This simply makes no sense. --Andreas. ------------------------------------------------------------------------ Andreas Gruenbacher, a.gruenbacher@computer.org Contact information: http://www.bestbits.at/~ag/ _______________________________________________ acl-devel mailing list acl-devel@bestbits.at http://acl.bestbits.at/mailman/listinfo/acl-devel