| |||||||||||||
Symbolic links in "sticky" directoriesSymbolic links in "sticky" directoriesPosted Jun 3, 2010 10:43 UTC (Thu) by mikachu (guest, #5333)Parent article: Symbolic links in "sticky" directories
> Since shared temporary directories are typically owned by root, and random attackers cannot create symlinks owned by root, this would eliminate the problems caused by /tmp file symlink races.
This is a false statement, unless I'm missing something subtle.
The symlink hardlinked can be anywhere on the same partition on /tmp, so it's somewhat mitigated if /tmp is its own filesystem. (note the third step is performed by a non-root user).
(Log in to post comments)
Symbolic links in "sticky" directories Posted Jun 3, 2010 11:26 UTC (Thu) by spender (subscriber, #23067) [Link]
The statement taken by itself is incorrect, but the actual feature that has been in grsecurity for over 9 years and Openwall even longer than that also adds hardlink restrictions that prevent exactly your attack.
-Brad
Symbolic links in "sticky" directories Posted Jun 3, 2010 12:41 UTC (Thu) by mikachu (guest, #5333) [Link]
Are those restrictions also part of the patches proposed for mainline?
Symbolic links in "sticky" directories Posted Jun 3, 2010 23:08 UTC (Thu) by kees (subscriber, #27264) [Link]
Ubuntu is carrying the hardlink restrictions as well. I intend to upstream it too, but I'm trying to do one thing at a time; they are different -- but obviously related -- topics.
|
|||||||||||||