Re: [linux-security] Re: t bit and symlinks patch

Andrew Tridgell (tridge@arvidsjaur.anu.edu.au)
Mon, 21 Oct 1996 23:22:55 +1000

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Andrew_Wakefield@kainos.com: "Re: Kernel panic after reboot"
Previous message: Bob Tracy - TDS: "Re: copy_to_user does not handle constant length parameter (Linux 2.1.5)"

Igor wrote:
> I apologize if my comment is incorrect, but as I understand, you do
> the following: if the directory has bit 't' set and the user does not
> own the file that the symlink points to, your patch does not allow to
> follow the symlink.

No, not quite. The decision is made on whether the user owns the
symlink, not if they own the file that it points at.

Luckily Linux does have the concept of the owner of a
symlink. Apparently BSD4.4 doesn't have this concept so they would
need a different approach to this problem.

> Suppose that I am a hacker on a system with your patch applied. Suppose
> my goal is to create a symlink from /tmp/abc to /.rhosts (for example).
> That is, I would like to
>
> $ ln -fs /.rhosts /tmp/abc
>
> Since you do not allow me to do that, I do the following:
>
> $ ln -fs /.rhosts $HOME/xyz
> $ ln -fs $HOME/xyz /tmp/abc
>
> Wouldn't that fool your function?

No, because the symlink will be owned by you, so root (and other
users) won't follow it. It doesn't matter what file it points at.

Andrew

Next message: Andrew_Wakefield@kainos.com: "Re: Kernel panic after reboot"
Previous message: Bob Tracy - TDS: "Re: copy_to_user does not handle constant length parameter (Linux 2.1.5)"