Re: [linux-security] Re: t bit and symlinks patch

Igor Chudov @ home (ichudov@algebra.com)
Sat, 19 Oct 1996 17:29:32 -0500 (CDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Bruno Kraychete da Costa: "Re: Ping with a 65510 bytes pack"
Previous message: Al Longyear: "Solution to problem with loading modules in 2.1.4/2.1.5"
In reply to: Andrew Tridgell: "Re: t bit and symlinks patch"
Next in thread: Kai Henningsen: "Re: t bit and symlinks patch"

Andrew Tridgell wrote:
>
> Alan wrote:
> > Nice idea. IMHO however the fix is to stop people writing applications
> > that use /tmp for everything. /tmp was a great idea once upon a time. Its
> > value nowdays is a bit questionable. Better that daemons use /var/run
> > and applications $HOME/.files
>
> I generally agree, its just that I think its hard to actually change
> all those programs (and programmers) out there that use /tmp.
>
> I also think that the change does in fact breath new life into
> /tmp. Are there any /tmp related security holes that it doesn't fix?
> There probably are some, its just that I can't think of them right
> now.
>
> Anyway, I've updated my patch slightly. I changed it so that symlinks
> owned by root are not affected. This is safe and means it breaks less
> things.
>
> With my original patch I found that one thing broke on my mail
> server. I had a link called "tridge" owned by root in /var/spool/mail
> that pointed to /home/tridge/InBox (due to a transition in mailer
> behaviour). I also had /var/spool/mail world writeable with the t bit
> set. My original patch meant I couldn't run programs that referenced
> /var/spool/mail/tridge.
>
> This is now the active bit of the patch:
>
> if (S_ISLNK(inode->i_mode) && (dir->i_mode & S_ISVTX) &&
> inode->i_uid != 0 &&
> current->fsuid != inode->i_uid) {
> iput(dir);
> iput(inode);
> *res_inode = NULL;
> return -EPERM;
> }
>

I apologize if my comment is incorrect, but as I understand, you do
the following: if the directory has bit 't' set and the user does not
own the file that the symlink points to, your patch does not allow to
follow the symlink.

Suppose that I am a hacker on a system with your patch applied. Suppose
my goal is to create a symlink from /tmp/abc to /.rhosts (for example).
That is, I would like to

$ ln -fs /.rhosts /tmp/abc

Since you do not allow me to do that, I do the following:

$ ln -fs /.rhosts $HOME/xyz
$ ln -fs $HOME/xyz /tmp/abc

Wouldn't that fool your function?

igor

>
> the full patch is available from
> ftp://samba.anu.edu.au/pub/linux/symlink.patch
>
> Cheers, Andrew
>

- Igor.

Next message: Bruno Kraychete da Costa: "Re: Ping with a 65510 bytes pack"
Previous message: Al Longyear: "Solution to problem with loading modules in 2.1.4/2.1.5"
In reply to: Andrew Tridgell: "Re: t bit and symlinks patch"
Next in thread: Kai Henningsen: "Re: t bit and symlinks patch"