mirror of
https://github.com/Zygo/bees.git
synced 2025-05-17 21:35:45 +02:00
de38b46dd8
* `nodev`: This reduces rename attack surface by preventing bees from opening any device file on the target filesystem. * `noexec`: This prevents access to the mount point from being leveraged to execute setuid binaries, or execute anything at all through the mount point. These options are not required because they duplicate features in the bees binary (assuming that the mount namespace remains private): * `noatime`: bees always opens every file with `O_NOATIME`, making this option redundant. * `nosymfollow`: bees uses `openat2` on kernels 5.6 and later with flags that prevent symlink attacks. `nosymfollow` was introduced in kernel 5.10, so every kernel that can do `nosymfollow` can already do `openat2`. Also, historically, `$BEESHOME` can be a relative path with symlinks in any path component except the last one, and `nosymfollow` doesn't allow that. Between `openat2` and `nodev`, all symlink attacks are prevented, and rename attacks cannot be used to force bees to open a device file. Signed-off-by: Zygo Blaxell <bees@furryterror.org>