User: Password:
|
|
Subscribe / Log in / New account

Symbolic links in "sticky" directories

Symbolic links in "sticky" directories

Posted Jun 3, 2010 10:43 UTC (Thu) by mikachu (guest, #5333)
Parent article: Symbolic links in "sticky" directories

> Since shared temporary directories are typically owned by root, and random attackers cannot create symlinks owned by root, this would eliminate the problems caused by /tmp file symlink races.

This is a false statement, unless I'm missing something subtle.
# mkdir tmp; chmod 777 tmp; chmod +t tmp; cd tmp
# ln -s /etc/shadow rootapprovedlink
$ ln rootapprovedlink omghax
# echo hello > omghax

The symlink hardlinked can be anywhere on the same partition on /tmp, so it's somewhat mitigated if /tmp is its own filesystem. (note the third step is performed by a non-root user).


(Log in to post comments)

Symbolic links in "sticky" directories

Posted Jun 3, 2010 11:26 UTC (Thu) by spender (subscriber, #23067) [Link]

The statement taken by itself is incorrect, but the actual feature that has been in grsecurity for over 9 years and Openwall even longer than that also adds hardlink restrictions that prevent exactly your attack.

-Brad

Symbolic links in "sticky" directories

Posted Jun 3, 2010 12:41 UTC (Thu) by mikachu (guest, #5333) [Link]

Are those restrictions also part of the patches proposed for mainline?

Symbolic links in "sticky" directories

Posted Jun 3, 2010 23:08 UTC (Thu) by kees (subscriber, #27264) [Link]

Ubuntu is carrying the hardlink restrictions as well. I intend to upstream it too, but I'm trying to do one thing at a time; they are different -- but obviously related -- topics.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds