coreutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cp, ln, mv, install: check for vulnerable target directories


From: Kaz Kylheku (Coreutils)
Subject: Re: cp, ln, mv, install: check for vulnerable target directories
Date: Wed, 20 Sep 2017 16:11:51 -0700
User-agent: Roundcube Webmail/0.9.2

On 19.09.2017 00:25, Paul Eggert wrote:
For years cp and friends have been subject to a symlink attack, in
that seemingly-ordinary commands like 'cp a b' can overwrite arbitrary
directories that the user has access to, if b's parent directory is
world-writable and is not sticky and is manipulated by a malicious
user.

Also, it occurs to me that the attack can be perpetrated if any of the
ancestral directories are writable to another non-root user.

Suppose we have

   cp passwd /alpha/beta/gamma/delta/omega

If the attacker can write to alpha, the attacker can create a symlink in a path like this:

   /home/attacker/beta/gamma/delta/omega -> <arbitrary path>

and, having write access to /alpha, the attacker can replace the /alpha/beta directory with
this symlink:

   /alpha/beta -> /home/attacker/beta





reply via email to

[Prev in Thread] Current Thread [Next in Thread]