fix for symlinks in /tmp

[tridge () arvidsjaur anu edu au (Andrew Tridgell)]

I have created a patch for Linux that fixes the generic problem of
security holes due to symlinks being used in /tmp.

The patch changes the kernels namei code so that symlinks will not be
followed if:

1) the t bit is set on the directory containing the symlink
and
2) the euid of the process does not match the owner of the symlink.

The patch explicitly includes root, so root will not be able to follow
symlinks in /tmp unless it owns them.

I believe this change fixes all the "symlink-in-/tmp" style of
security holes while having a minimal impact on the normal use of
symlinks.

In case you don't think this change is necessary you should think
about how many recent security holes in unix-like systems have been
due to sloppy coding of programs that create files in /tmp. I also
noticed today that gcc is vulnerable to this kind of bug (as of
version 2.7.2), so potentially you can attack anyone who compiles
anything on your system.

I know there have been other proposed generic fixes for this style of
bug, but they tend to suffer from the problem of requiring people to
change the way they work. The above fix should not be very noticeable
to normal users of a system.

I've submitted the patch to Linus, and have also made it available on
ftp://samba.anu.edu.au/pub/linux/symlink.patch

The patch is against Linux kernel 2.0.22, although it should work with
any recent kernel. The active part of the patch is only a few lines
long.

Can anyone see any problems with this proposal?

Cheers, Andrew

--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Andrew Tridgell                            Dept. of Computer Science
email: Andrew.Tridgell () anu edu au          Australian National University
Phone: +61 6 254 8209                      Fax: +61 6 249 0010
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-