SNIA Developer Conference September 15-17, 2025 | Santa Clara, CA
Symbolic links Considered Harmful
Abstract
The UNIX Filesystem API is profoundly broken, and user-settable symbolic links are to blame. In this talk I will explain how CVE-2021-20316 made me realize how symbolic links, introduced in 4.2BSD Unix from U.C. Berkeley, broke the previously elegant UNIX file system API and file system design. The design and implementation of symbolic links has caused years worth of security flaws and API patches to fix a conceptually broken idea. I also propose a modest suggestion in order to help Linux step away from this mess to a more secure by-design future.
Learning Objectives
- Security problems with symbolic links on file systems.
- How to fix code to deal with symbolic link security problems.
- Latest Linux innovations to help solve the problem.
Related Sessions
Implementing HDFS ACLs in OneFS
The HDFS protocol supports POSIX.1e style ACLs. Supporting such ACLs in a multiprotocol environment means a translation method should be defined to translate between the NFSv3 mode bits, NFSv4 ACLs, Windows Style ACLs and the POSIX.1e ACLs. POSIX.1e ACLs differ in their structure and evaluation algorithm as compared to other ACLs that are currently supported in OneFS. The talk will detail the approach we took and also some of the surprising challenges related to multithreading.
Design Modern Object Store Server for Lustre file system in the Era of Solid State Storage and Persistent Memory
Fast, scalable parallel file system performance is a key enabler of massively parallel computing as well as of emerging big data and machine learning applications. Released almost two decades ago, Lustre has long been the storage solution of choice for many supercomputing data centers. But as the world slowly retire rotational disks in favor of fast SSDs and persistent memory for their performance tiers, Lustre is becoming increasingly unable to fully utilize available storage bandwidth due to its old, disk-oriented object storage server designs based on Ext4 derived ldiskfs. In this talk, we will first introduce the high level design of Lustre key networking and storage components (Object Storage Server and Object Storage Target). Then we will describe the limitations and shortcomings we consider that are becoming major impedance to further Lustre innovations and hurdle to faster cadence of development. In order to address these issues, we propose a completely new OSS/OST architecture and implementation by natively incorporating latest advancements in hardware (SSDs, Persistent memory), software (SPDK/PMDK, KV-Store) and other relevant technologies such as flexible Erasure Coding data protection scheme. We believe the benefits of this proposal will lower the barrier to future innovative contributions and can invigorate developer community activities, which is essential to ensure Lustre’s continued success in end user adoption and support.
Symbolic links Considered Harmful
The UNIX Filesystem API is profoundly broken, and user-settable symbolic links are to blame. In this talk I will explain how CVE-2021-20316 made me realize how symbolic links, introduced in 4.2BSD Unix from U.C. Berkeley, broke the previously elegant UNIX file system API and file system design. The design and implementation of symbolic links has caused years worth of security flaws and API patches to fix a conceptually broken idea. I also propose a modest suggestion in order to help Linux step away from this mess to a more secure by-design future.