[Pkg-shadow-devel] Rationale for O_NOFOLLOW
FLORENT CHABAUD
florent.chabaud at eviden.com
Wed Jun 26 13:59:26 BST 2024
Hi everyone,
As this is my first message on the list, let me introduce myself. I'm in charge of Product Security at Eviden, and I'm currently interested in hardening some Baseboard Management Controller (BMC) running on linux (OpenBMC). As a company, we are an HPC and Enterprise server vendor.
As part of this hardening effort, we are investigating some mechanisms to segregate some critical files in a separate memory area, for instance /etc/passwd and /etc/shadow. The rationale for this is that these files may have to survive some reset-to-defaults, while being kept read-write in normal use. The user may want to change its passwords 😉. On the other hand, other files in /etc must reside in read-only memory as they are bound to the hardware.
The approach we had in mind was to move the corresponding files in a different location and set a symbolic link at the usual place in /etc. During testing, we discovered shadow limitation which prevents from following links. Namely, the opening of file in lib/commonio.c uses O_NOFOLLOW flag.
https://serverfault.com/questions/491033/cannot-useradd-adduser-when-etc-passwd-shadow-group-are-symlink-debian-squee
As we are in some embedded linux, we could just recompile shadow without this flag. But before doing this, I'd like to understand the rationale for this flag. Can anyone provide clarification on this?
Thanks in advance.
Bien cordialement / Kind regards,
Florent Chabaud
Chief Product Security Officer – BDS
M: +33 (0) 675 084 850
Rue du Gros Caillou – 78340 Les Clayes-sous-Bois – France
eviden.com<https://eviden.com/>
[cid:b2f33e46-ee1d-4943-893d-43694876d9c5]
an atos business
This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. Personal data are processed according to my company privacy policy. Unless you are the intended addressee (or authorized to receive for such intended addressee), you are not allowed to use, copy or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply to florent.chabaud at eviden.com<mailto:florent.chabaud at eviden.com> and delete the message. Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-shadow-devel/attachments/20240626/67dae83e/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-eqphj4gj.png
Type: image/png
Size: 2150 bytes
Desc: Outlook-eqphj4gj.png
URL: <http://alioth-lists.debian.net/pipermail/pkg-shadow-devel/attachments/20240626/67dae83e/attachment-0001.png>
More information about the Pkg-shadow-devel
mailing list