Bugtraq mailing list archives
fix for symlinks in /tmp
From: tridge () arvidsjaur anu edu au (Andrew Tridgell)
Date: Fri, 18 Oct 1996 23:02:01 +1000
I have created a patch for Linux that fixes the generic problem of security holes due to symlinks being used in /tmp. The patch changes the kernels namei code so that symlinks will not be followed if: 1) the t bit is set on the directory containing the symlink and 2) the euid of the process does not match the owner of the symlink. The patch explicitly includes root, so root will not be able to follow symlinks in /tmp unless it owns them. I believe this change fixes all the "symlink-in-/tmp" style of security holes while having a minimal impact on the normal use of symlinks. In case you don't think this change is necessary you should think about how many recent security holes in unix-like systems have been due to sloppy coding of programs that create files in /tmp. I also noticed today that gcc is vulnerable to this kind of bug (as of version 2.7.2), so potentially you can attack anyone who compiles anything on your system. I know there have been other proposed generic fixes for this style of bug, but they tend to suffer from the problem of requiring people to change the way they work. The above fix should not be very noticeable to normal users of a system. I've submitted the patch to Linus, and have also made it available on ftp://samba.anu.edu.au/pub/linux/symlink.patch The patch is against Linux kernel 2.0.22, although it should work with any recent kernel. The active part of the patch is only a few lines long. Can anyone see any problems with this proposal? Cheers, Andrew -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Andrew Tridgell Dept. of Computer Science email: Andrew.Tridgell () anu edu au Australian National University Phone: +61 6 254 8209 Fax: +61 6 249 0010 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Current thread:
- Re: ftpd bug? Was: bin/1805: Bug in ftpd Martin Rex (Oct 15)
- Re: ftpd bug? Was: bin/1805: Bug in ftpd Micah Brandon (Oct 16)
- Re: ftpd bug? Was: bin/1805: Bug in ftpd Doug Williams (Oct 16)
- Re: ftpd bug? Was: bin/1805: Bug in ftpd Doug Williams (Oct 16)
- solaris 2.4 license-manager bug Grant Kaufmann (Oct 16)
- Re: BoS: solaris 2.4 license-manager bug Paul Wickman (Oct 17)
- fix for symlinks in /tmp Andrew Tridgell (Oct 18)
- Re: ftpd bug? Was: bin/1805: Bug in ftpd Doug Williams (Oct 16)
- Re: ftpd bug? Was: bin/1805: Bug in ftpd gamble () dxcoms cern ch (Oct 16)
- Re: ftpd bug? Was: bin/1805: Bug in ftpd Andrew Dills (Oct 16)
- Re: ftpd bug? Was: bin/1805: Bug in ftpd Jonny Llama (Oct 16)
- Re: ftpd bug? Was: bin/1805: Bug in ftpd Perry E. Metzger (Oct 16)
- Re: ftpd bug? Was: bin/1805: Bug in ftpd Andrew Dills (Oct 16)
- Re: ftpd bug? Was: bin/1805: Bug in ftpd Micah Brandon (Oct 16)
- Re: ftpd bug? Was: bin/1805: Bug in ftpd Rune Braathen (Oct 16)
- Re: ftpd bug? Was: bin/1805: Bug in ftpd Grant Kaufmann (Oct 16)
- <Possible follow-ups>
- Re: ftpd bug? Was: bin/1805: Bug in ftpd James Poland 6-5251 (Oct 16)
- Re: ftpd bug? Was: bin/1805: Bug in ftpd Martin Rex (Oct 17)
- Re: ftpd bug? Was: bin/1805: Bug in ftpd Brad.Powell (Oct 17)