Re: varlinks! ((in)security?)
Rogier Wolff (R.E.Wolff@BitWizard.nl)
Thu, 30 Apr 1998 01:11:56 +0200 (MET DST)
Illuminatus Primus wrote:
>
>
> On Wed, 29 Apr 1998, Rogier Wolff wrote:
>
> >
> > > No, no, no... you could potentially trick an app into indirecting
> > > though a symlink it otherwise wouldn't have indirected through,
> > > getting unauthorized access to a file.
> >
> > So, I still don't get it. Explain please....
> >
>
> I don't think the security concerns with varlinks are any different from
> dealing with symlink races. If a program doesn't trust a symlink (or
> varlink) to remain constant, it should fopen() the file and then fstat()
> it, or whatever it likes once it has the file referenced by inode.
> Varlinks could only make changing the link destination something triggered
> internally instead of a crap shoot.. But I'm guessing that most programs
> don't modify varlink-dependant variables in between access checks and
> actual access. If so, they were doing things insecurely anyway :).
>
> Separate subject (TMPDIR):
> How would TMPDIR interact with suid programs? It seems like being able to
> make a suid program write it's temp files to a directory you have complete
> access to (as opposed to sticky access) wouldn't be a Good Thing.
The answer is simple. A setuid program should simply take care not to write
anything to /tmp or to $TMPDIR. Both are terribly wrong.
I've suggested "/etc/tmp" as a root-only tmpdir. Or /stmp (analogous to
/sbin).
I'm hoping varlinks will "solve" this. But I'm biased. Shoot ahead.
Roger.
--
If it's there and you can see it, it's REAL |___R.E.Wolff@BitWizard.nl |
If it's there and you can't see it, it's TRANSPARENT | Tel: +31-15-2137555 |
If it's not there and you can see it, it's VIRTUAL |__FAX:_+31-15-2138217 |
If it's not there and you can't see it, it's GONE! -- Roy Wilks, 1983 |_____|
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu