Linux 5.10 Adds "nosymfollow" Mount Option Security Defense
Written by Michael Larabel in Linux Kernel on 24 October 2020 at 04:28 PM EDT. 9 Comments
LINUX KERNEL --
FreeBSD has long supported a "nosymfollow" mount option to prevent following of symlinks on mounted file-systems while now the mainline Linux kernel is adding a similar security defense.

Driven along by Google's kernel engineers as their work on Chrome OS, they have upstreamed their nosymfollow implementation to the mainline kernel with Linux 5.10. The premise of this feature is to not follow symlinks when resolving paths within the kernel. Symlinks can still be created on the mounted file-system and readlink() will still function, thus not breaking user-space usage of symlinks, but this generic mount option is intended as a kernel defense.

The goal is to help prevent privileged writers from modifying files unintentionally if following symlinks created with malicious intent. Google outlines this security measure within the Chromium documentation concerning hardening against malicious stateful data and more specifically their intention with restricting symlink traversal.

The nosymfollow mount option for Linux 5.10 was sent in today as part of the VFS misc pile ahead of the 5.10 merge window closure on Sunday.
Related News
About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter or contacted via MichaelLarabel.com.

Popular News This Week