Symlinks in jails are resolved before opening files or creating directories. When an attacker awaits the check, but changes the symlink target right after the check, a race condition can lead to file read/write on the host system from within an unsafe jail.
This issue can be mitigated by opening and holding the file descriptor before the check is applied, so that the same path is not resolved twice.
Symlinks in jails are resolved before opening files or creating directories. When an attacker awaits the check, but changes the symlink target right after the check, a race condition can lead to file read/write on the host system from within an unsafe jail.
This issue can be mitigated by opening and holding the file descriptor before the check is applied, so that the same path is not resolved twice.
/me tips hat to @fabiabfreyer