[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cp, ln, mv, install: check for vulnerable target directories
From: |
Kaz Kylheku (Coreutils) |
Subject: |
Re: cp, ln, mv, install: check for vulnerable target directories |
Date: |
Wed, 20 Sep 2017 16:11:51 -0700 |
User-agent: |
Roundcube Webmail/0.9.2 |
On 19.09.2017 00:25, Paul Eggert wrote:
For years cp and friends have been subject to a symlink attack, in
that seemingly-ordinary commands like 'cp a b' can overwrite arbitrary
directories that the user has access to, if b's parent directory is
world-writable and is not sticky and is manipulated by a malicious
user.
Also, it occurs to me that the attack can be perpetrated if any of the
ancestral directories are writable to another non-root user.
Suppose we have
cp passwd /alpha/beta/gamma/delta/omega
If the attacker can write to alpha, the attacker can create a symlink in
a path like this:
/home/attacker/beta/gamma/delta/omega -> <arbitrary path>
and, having write access to /alpha, the attacker can replace the
/alpha/beta directory with
this symlink:
/alpha/beta -> /home/attacker/beta
- Re: cp, ln, mv, install: check for vulnerable target directories, (continued)
- Re: cp, ln, mv, install: check for vulnerable target directories, Bernhard Voelker, 2017/09/20
- Re: cp, ln, mv, install: check for vulnerable target directories, Paul Eggert, 2017/09/20
- Re: cp, ln, mv, install: check for vulnerable target directories, Kaz Kylheku (Coreutils), 2017/09/20
- Re: cp, ln, mv, install: check for vulnerable target directories, Paul Eggert, 2017/09/20
- Re: cp, ln, mv, install: check for vulnerable target directories, Kaz Kylheku (Coreutils), 2017/09/21
- Re: cp, ln, mv, install: check for vulnerable target directories, Kaz Kylheku (Coreutils), 2017/09/21
- Re: cp, ln, mv, install: check for vulnerable target directories, Kaz Kylheku (Coreutils), 2017/09/21
- Re: cp, ln, mv, install: check for vulnerable target directories, Paul Eggert, 2017/09/21
- Re: cp, ln, mv, install: check for vulnerable target directories, Paul Eggert, 2017/09/25
Re: cp, ln, mv, install: check for vulnerable target directories,
Kaz Kylheku (Coreutils) <=