coreutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cp, ln, mv, install: check for vulnerable target directories

From: Kaz Kylheku (Coreutils)
Subject: Re: cp, ln, mv, install: check for vulnerable target directories
Date: Wed, 20 Sep 2017 16:11:51 -0700
User-agent: Roundcube Webmail/0.9.2 
On 19.09.2017 00:25, Paul Eggert wrote:

For years cp and friends have been subject to a symlink attack, in
that seemingly-ordinary commands like 'cp a b' can overwrite arbitrary
directories that the user has access to, if b's parent directory is
world-writable and is not sticky and is manipulated by a malicious
user.


Also, it occurs to me that the attack can be perpetrated if any of the
ancestral directories are writable to another non-root user.

Suppose we have

   cp passwd /alpha/beta/gamma/delta/omega
If the attacker can write to alpha, the attacker can create a symlink in a path like this: 

   /home/attacker/beta/gamma/delta/omega -> <arbitrary path>
and, having write access to /alpha, the attacker can replace the /alpha/beta directory with 
this symlink:

   /alpha/beta -> /home/attacker/beta
reply via email to
[Prev in Thread] Current Thread [Next in Thread]