freebsd kernel with SKQ
Go to file
kevans deeb56f911 vfs: add restrictions to read(2) of a directory [1/2]
Historically, we've allowed read() of a directory and some filesystems will
accommodate (e.g. ufs/ffs, msdosfs). From the history department staffed by
Warner: <<EOF

pdp-7 unix seemed to allow reading directories, but they were weird, special
things there so I'm unsure (my pdp-7 assembler sucks).

1st Edition's sources are lost, mostly. The kernel allows it. The
reconstructed sources from 2nd or 3rd edition read it though.

V6 to V7 changed the filesystem format, and should have been a warning, but
reading directories weren't materially changed.

4.1b BSD introduced readdir because of UFS. UFS broke all directory reading
programs in 1983. ls, du, find, etc all had to be rewritten. readdir() and
friends were introduced here.

SysVr3 picked up readdir() in 1987 for the AT&T fork of Unix. SysVr4 updated
all the directory reading programs in 1988 because different filesystem
types were introduced.

In the 90s, these interfaces became completely ubiquitous as PDP-11s running
V7 faded from view and all the folks that initially started on V7 upgraded
to SysV. Linux never supported this (though I've not done the software
archeology to check) because it has always had a pathological diversity of
filesystems.
EOF

Disallowing read(2) on a directory has the side-effect of masking
application bugs from relying on other implementation's behavior
(e.g. Linux) of rejecting these with EISDIR across the board, but allowing
it has been a vector for at least one stack disclosure bug in the past[0].

By POSIX, this is implementation-defined whether read() handles directories
or not. Popular implementations have chosen to reject them, and this seems
sensible: the data you're reading from a directory is not structured in some
unified way across filesystem implementations like with readdir(2), so it is
impossible for applications to portably rely on this.

With this patch, we will reject most read(2) of a dirfd with EISDIR. Users
that know what they're doing can conscientiously set
bsd.security.allow_read_dir=1 to allow read(2) of directories, as it has
proven useful for debugging or recovery. A future commit will further limit
the sysctl to allow only the system root to read(2) directories, to make it
at least relatively safe to leave on for longer periods of time.

While we're adding logic pertaining to directory vnodes to vn_io_fault, an
additional assertion has also been added to ensure that we're not reaching
vn_io_fault with any write request on a directory vnode. Such request would
be a logical error in the kernel, and must be debugged rather than allowing
it to potentially silently error out.

Commented out shell aliases have been placed in root's chsrc/shrc to promote
awareness that grep may become noisy after this change, depending on your
usage.

A tentative MFC plan has been put together to try and make it as trivial as
possible to identify issues and collect reports; note that this will be
strongly re-evaluated. Tentatively, I will MFC this knob with the default as
it is in HEAD to improve our odds of actually getting reports. The future
priv(9) to further restrict the sysctl WILL NOT BE MERGED BACK, so the knob
will be a faithful reversion on stable/12. We will go into the merge
acknowledging that the sysctl default may be flipped back to restore
historical behavior at *any* point if it's warranted.

[0] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:10.ufs.asc

PR:		246412
Reviewed by:	mckusick, kib, emaste, jilles, cy, phk, imp (all previous)
Reviewed by:	rgrimes (latest version)
MFC after:	1 month (note the MFC plan mentioned above)
Relnotes:	absolutely, but will amend previous RELNOTES entry
Differential Revision:	https://reviews.freebsd.org/D24596
2020-06-04 18:09:55 +00:00
bin vfs: add restrictions to read(2) of a directory [1/2] 2020-06-04 18:09:55 +00:00
cddl Restore the binary compatibility for link_map l_addr. 2020-05-21 22:24:23 +00:00
contrib lld: Set DF_1_PIE for -pie 2020-06-02 22:57:13 +00:00
crypto Merge OpenSSL 1.1.1g. 2020-04-21 19:38:32 +00:00
etc Restrict default /root permissions 2020-06-04 16:04:19 +00:00
gnu binutils: build as with BINUTILS || BINUTILS_BOOTSTRAP 2020-05-30 19:16:33 +00:00
include Revert r361770 "Add pthread_getname_np() and pthread_setname_np() aliases" for now. 2020-06-04 09:06:03 +00:00
kerberos5 Update Makefile.depend files 2019-12-11 17:37:53 +00:00
lib vfs: add restrictions to read(2) of a directory [1/2] 2020-06-04 18:09:55 +00:00
libexec Uppercase 'dso' to indicate that it is abbreviation. 2020-06-02 17:33:10 +00:00
release Include the shells/bash port on Vagrant images, which prevents 2020-05-28 18:48:30 +00:00
rescue rescue: Remove useless linking with libl 2020-03-24 07:08:02 +00:00
sbin dhclient: Fix a logic bug remove_protocol(). 2020-06-04 16:24:13 +00:00
secure Install 32-bit libcrypto engines in /usr/lib32/engines instead of 2020-06-01 18:58:09 +00:00
share Update vt(4) config option names to chase r303043. 2020-06-04 16:05:24 +00:00
stand lualoader: drop the filename and word "LUA" from errors 2020-06-03 18:29:32 +00:00
sys vfs: add restrictions to read(2) of a directory [1/2] 2020-06-04 18:09:55 +00:00
targets libalias: retire cuseeme support 2020-05-16 02:29:10 +00:00
tests bridge tests: Avoid building a switching loop 2020-06-01 19:26:16 +00:00
tools Add deprecation notice to WITH_BINUTILS option description 2020-05-30 16:13:21 +00:00
usr.bin Add EXAMPLES to killall(1) 2020-06-04 04:29:43 +00:00
usr.sbin Fix mountd to handle getgrouplist() not returning groups[0] == groups[1]. 2020-06-04 00:28:20 +00:00
.arcconfig
.arclint arc lint: ignore /tests/ in chmod 2017-12-19 03:38:06 +00:00
.cirrus.yml Cirrus-CI: increase timeout to 120m 2020-02-19 15:56:40 +00:00
.clang-format Add a basic clang-format configuration file 2019-06-07 15:23:52 +00:00
.gitattributes Add a basic clang-format configuration file 2019-06-07 15:23:52 +00:00
.gitignore Vendor import of Unbound 1.10.1. 2020-05-21 05:01:52 +00:00
COPYRIGHT Happy New Year 2020! 2019-12-31 16:01:36 +00:00
LOCKS LOCKS: update current locks 2018-06-09 03:08:04 +00:00
MAINTAINERS ice(4): Introduce new driver for Intel E800 Ethernet controllers 2020-05-26 23:35:10 +00:00
Makefile Use universe-toolchain config(8) 2020-04-29 02:18:39 +00:00
Makefile.inc1 Makefile.inc1: remove BINUTILS_BOOTSTRAP linker support 2020-05-30 16:20:18 +00:00
Makefile.libcompat Stop building libl and liby 2020-03-26 08:23:09 +00:00
Makefile.sys.inc AUTO_OBJ: For all top-level targets enforce using an OBJDIR. 2017-12-05 21:29:47 +00:00
ObsoleteFiles.inc Catch up with r361700. 2020-06-01 19:34:21 +00:00
README README: add generic notes about GENERIC and NOTES 2018-06-17 19:44:24 +00:00
README.md Vendor import of Unbound 1.10.1. 2020-05-21 05:01:52 +00:00
RELNOTES Mention new jail(8) command hooks in RELNOTES 2020-05-19 18:41:46 +00:00
UPDATING Add an UPDATING entry for r360964 2020-05-28 22:05:33 +00:00

FreeBSD Source:

This is the top level of the FreeBSD source directory. This file was last revised on: FreeBSD

FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms. A large community has continually developed it for more than thirty years. Its advanced networking, security, and storage features have made FreeBSD the platform of choice for many of the busiest web sites and most pervasive embedded networking and storage devices.

For copyright information, please see the file COPYRIGHT in this directory. Additional copyright information also exists for some sources in this tree - please see the specific source directories for more information.

The Makefile in this directory supports a number of targets for building components (or all) of the FreeBSD source tree. See build(7), config(8), https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html, and https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html for more information, including setting make(1) variables.

Source Roadmap:

bin		System/user commands.

cddl		Various commands and libraries under the Common Development
		and Distribution License.

contrib		Packages contributed by 3rd parties.

crypto		Cryptography stuff (see crypto/README).

etc		Template files for /etc.

gnu		Various commands and libraries under the GNU Public License.
		Please see gnu/COPYING* for more information.

include		System include files.

kerberos5	Kerberos5 (Heimdal) package.

lib		System libraries.

libexec		System daemons.

release		Release building Makefile & associated tools.

rescue		Build system for statically linked /rescue utilities.

sbin		System commands.

secure		Cryptographic libraries and commands.

share		Shared resources.

stand		Boot loader sources.

sys		Kernel sources.

sys/<arch>/conf Kernel configuration files. GENERIC is the configuration
		used in release builds. NOTES contains documentation of
		all possible entries.

tests		Regression tests which can be run by Kyua.  See tests/README
		for additional information.

tools		Utilities for regression testing and miscellaneous tasks.

usr.bin		User commands.

usr.sbin	System administration commands.

For information on synchronizing your source tree with one or more of the FreeBSD Project's development branches, please see:

https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/current-stable.html