coreutils
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cp, ln, mv, install: check for vulnerable target directories


From: Kaz Kylheku (Coreutils)
Subject: Re: cp, ln, mv, install: check for vulnerable target directories
Date: Thu, 21 Sep 2017 09:18:38 -0700
User-agent: Roundcube Webmail/0.9.2

On 20.09.2017 18:59, Paul Eggert wrote:
Kaz Kylheku (Coreutils) wrote:

Instead of checking for what *could* go wrong, why not defend more
specifically against signs that the attack might be actually happening.

That's what the patch is trying to do, though it looks like it should
be improved.

There is a simple operating system fix for this: do not allow processes
to create symlinks in directories to which they only have write accesses via
S_IWOTH.

More precisely, the proposal is that if a process want to create a symlink, then it either has to be root, or else the owner of the directory with S_IWUSR
asserted on the directory, or else the group owner (directly or via a
supplementary GID) with S_IWGRP asserted. For the purposes of creating a
symlink, the directory is treated as if S_IWOTH is false, even if set.

The main use case for shared writable directories is /tmp and "spool" directories.

I can't think of a legit reason to be creating symlinks in those directories,
only subdirectories (in which the creator then make symlinks),
regular files, and some special objects like sockets.

A symlink in a shared writable directory is nothing more than a "name squatting" trap. Ergo, don't allow that. Or else, the responsibility for defense then
spreads all over the system, such as into basic utilities!





reply via email to

[Prev in Thread] Current Thread [Next in Thread]