From: Lennart Poettering Date: Wed, 20 Aug 2025 09:37:06 +0000 (+0200) Subject: mountfsd: slightly relax restrictions on dir fds to mount X-Git-Tag: v259-rc1~447 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1a00afe0ffc8255a7c9ed725a373384784f6d4aa;p=thirdparty%2Fsystemd.git mountfsd: slightly relax restrictions on dir fds to mount When establishing a idmapped mount for a directory with foreign mapping we so far insisted in the dir being properly opened (i.e. via a non-O_PATH fd) being passed to mountfsd. This is problematic however, since the client might not actually be able to open the dir (which after all is owned by the foreign UID, not by the user). Hence, let's relax the rules, and accept an O_PATH fd too (which the client can get even without privs). This should be safe, since the load-bearing security check is whether the dir has a parent owned by the client's UID, and for that check O_PATH or not O_PATH is not relevant. --- diff --git a/src/mountfsd/mountwork.c b/src/mountfsd/mountwork.c index fb1d8ebcb48..4f37bbd0815 100644 --- a/src/mountfsd/mountwork.c +++ b/src/mountfsd/mountwork.c @@ -659,7 +659,7 @@ static DirectoryOwnership validate_directory_fd(int fd, uid_t peer_uid) { if (r < 0) return r; - fl = fd_verify_safe_flags_full(fd, O_DIRECTORY); + fl = fd_verify_safe_flags_full(fd, O_DIRECTORY|O_PATH); if (fl < 0) return log_debug_errno(fl, "Directory file descriptor has unsafe flags set: %m"); diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c index 672c6a65cd5..0bc750bafef 100644 --- a/src/shared/dissect-image.c +++ b/src/shared/dissect-image.c @@ -4750,7 +4750,7 @@ int mountfsd_mount_directory( if (r < 0) return log_error_errno(r, "Failed to enable varlink fd passing for write: %m"); - _cleanup_close_ int directory_fd = open(path, O_DIRECTORY|O_RDONLY|O_CLOEXEC); + _cleanup_close_ int directory_fd = open(path, O_DIRECTORY|O_RDONLY|O_CLOEXEC|O_PATH); if (directory_fd < 0) return log_error_errno(errno, "Failed to open '%s': %m", path);