We should always apply the principle of least privilege to our storage layer by mounting file systems with the most restrictive options (that still allow for required operations). The "nosymfollow" (No Symbolic Link Follow) option causes the system to not follow symlinks (https://medium.com/@boutnaru/the-linux-concept-journey-link-file-aka-symbolic-link-bab65feacd10) when resolving paths (https://lwn.net/Articles/813819/).

Overall, the "nosymfollow" option doesn't prevent the creation of a symlink (symbolic link) using the "ln" utility (https://man7.org/linux/man-pages/man1/ln.1.html). It instructs the kernel to ignore the link and block any attempt to use them. While the link file appears in the directory, the kernel's VFS (https://medium.com/@boutnaru/linux-vfs-virtual-file-system-2dc0f26cdfc0) layer will trigger a "permission denied" error upon any access. However, command like "readlink" (https://man7.org/linux/man-pages/man1/readlink.1.html) still works (https://man7.org/linux/man-pages/man8/mount.8.html) — as shown in the screenshot below.

Lastly, for using the "nosymfollow" option as part of a file system we can leverage the mount (https://linux.die.net/man/8/mount) command line utility with the "-o" parameter ("-o nosymfollow"). It is checked using the function "pick_link" (https://elixir.bootlin.com/linux/v6.19.10/source/fs/namei.c#L1988), which is referenced in "step_into_slowpath" (https://elixir.bootlin.com/linux/v6.19.10/source/fs/namei.c#L2074).

See you in my next writeup ;-) You can follow me on twitter — @boutnaru (https://twitter.com/boutnaru). Also, you can read my other writeups on medium — https://medium.com/@boutnaru. You can find my free eBooks at https://TheLearningJourneyEbooks.com.