Index: /trunk/src/VBox/HostDrivers/Support/SUPLibInternal.h =================================================================== --- /trunk/src/VBox/HostDrivers/Support/SUPLibInternal.h (revision 66631) +++ /trunk/src/VBox/HostDrivers/Support/SUPLibInternal.h (revision 66632) @@ -449,5 +449,5 @@ DECLHIDDEN(int) supR3HardenedVerifyFile(const char *pszFilename, RTHCUINTPTR hNativeFile, bool fMaybe3rdParty, PRTERRINFO pErrInfo); -#ifdef RT_OS_DARWIN +#if defined(RT_OS_DARWIN) || defined(RT_OS_LINUX) DECLHIDDEN(int) supR3HardenedVerifyFileFollowSymlinks(const char *pszFilename, RTHCUINTPTR hNativeFile, bool fMaybe3rdParty, PRTERRINFO pErrInfo); Index: /trunk/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp =================================================================== --- /trunk/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp (revision 66631) +++ /trunk/src/VBox/HostDrivers/Support/SUPR3HardenedVerify.cpp (revision 66632) @@ -1036,5 +1036,6 @@ } -#ifdef RT_OS_DARWIN + +#if defined(RT_OS_DARWIN) || defined(RT_OS_LINUX) /** * Copies the four messages into the error buffer and returns @a rc. @@ -1053,5 +1054,5 @@ return supR3HardenedSetErrorN(rc, pErrInfo, 4, pszMsg1, pszMsg2, pszMsg3, pszMsg4); } -#endif /* RT_OS_DARWIN */ +#endif @@ -1072,6 +1073,6 @@ } + #ifdef SOME_UNUSED_FUNCTION - /** * Copies the two messages into the error buffer and returns @a rc. @@ -1088,9 +1089,8 @@ return supR3HardenedSetErrorN(rc, pErrInfo, 2, pszMsg1, pszMsg2); } - -#endif /* SOME_UNUSED_FUNCTION */ - -#ifdef RT_OS_DARWIN - +#endif + + +#if defined(RT_OS_DARWIN) || defined(RT_OS_LINUX) /** * Copies the error message to the error buffer and returns @a rc. @@ -1105,5 +1105,4 @@ return supR3HardenedSetErrorN(rc, pErrInfo, 1, pszMsg); } - #endif @@ -1501,6 +1500,16 @@ /* * World must not have write access. There is no relaxing this rule. - */ - if (pFsObjState->Stat.st_mode & S_IWOTH) + * Linux exception: Symbolic links are always give permission 0777, there + * is no lchmod or lchown APIs. The permissions on parent + * directory that contains the symbolic link is what is + * decising wrt to modifying it. (Caller is expected not + * to allow symbolic links in the first path component.) + */ + if ( (pFsObjState->Stat.st_mode & S_IWOTH) +# ifdef RT_OS_LINUX + && ( !S_ISLNK(pFsObjState->Stat.st_mode) + || !fSymlinksAllowed /* paranoia */) +# endif + ) return supR3HardenedSetError3(VERR_SUPLIB_WORLD_WRITABLE, pErrInfo, "World writable: '", pszPath, "'"); @@ -1846,5 +1855,5 @@ -#ifdef RT_OS_DARWIN +#if defined(RT_OS_DARWIN) || defined(RT_OS_LINUX) /** * Verfies a file following symlinks. @@ -2001,5 +2010,5 @@ return VINF_SUCCESS; } -#endif /* RT_OS_DARWIN */ +#endif /* RT_OS_DARWIN || RT_OS_LINUX */ Index: /trunk/src/VBox/HostDrivers/Support/posix/SUPR3HardenedMain-posix.cpp =================================================================== --- /trunk/src/VBox/HostDrivers/Support/posix/SUPR3HardenedMain-posix.cpp (revision 66631) +++ /trunk/src/VBox/HostDrivers/Support/posix/SUPR3HardenedMain-posix.cpp (revision 66632) @@ -190,5 +190,5 @@ && strchr(pszFilename, '/') != NULL) { -#ifdef RT_OS_DARWIN +#if defined(RT_OS_DARWIN) || defined(RT_OS_LINUX) int rc = supR3HardenedVerifyFileFollowSymlinks(pszFilename, RTHCUINTPTR_MAX, true /* fMaybe3rdParty */, NULL /* pErrInfo */);