Full Disclosure mailing list archives
Re: hard links on Linux create local DoS vulnerability and security problems
From: petard <petard () freeshell org>
Date: Mon, 24 Nov 2003 19:59:35 +0000
On Mon, Nov 24, 2003 at 07:58:17PM +0100, Michal Zalewski wrote:
But yes, hardlinks introduce a whole array of security problems and other brain-damage scenarios (a trivia: what happens if you create a hardlink to /usr/bin/passwd in /tmp? 1: you cannot remove it; 2: if you name it 'r00tshell', the administrator would have a a heart attack upon spotting a root-owned setuid binary in /tmp). This is hardly new - you can Google for some BUGTRAQ discussions and such back in the '99 or so - but should be brought up once in a while.
If the administrator is worth her salary, you will be unable to create that hardlink because /usr/bin/passwd and /tmp will be on different partitions. This entire issue is more of a configuration issue than a Linux issue. You should never configure a multiuser system such that users can write to partitions which contain suid binaries. -- If your message really might be confidential, download my PGP key here: http://petard.freeshell.org/petard.asc and encrypt it. Otherwise, save bandwidth and lose the disclaimer. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- hard links on Linux create local DoS vulnerability and security problems Jakob Lell (Nov 24)
- Re: hard links on Linux create local DoS vulnerability and security problems Brian Bennett (Nov 24)
- Re: hard links on Linux create local DoS vulnerability and security problems Michal Zalewski (Nov 24)
- Re: hard links on Linux create local DoS vulnerability and security problems petard (Nov 24)
- Re: hard links on Linux create local DoS vulnerability and security problems Jakob Lell (Nov 24)
- Re: hard links on Linux create local DoS vulnerability and security problems Valdis . Kletnieks (Nov 25)
- Re: hard links on Linux create local DoS vulnerability and security problems petard (Nov 24)
- Re: hard links on Linux create local DoS vulnerability and security problems Zow (Nov 25)
- Re: hard links on Linux create local DoS vulnerability and security problems vb (Nov 25)
- Message not available
- Re: hard links on Linux create local DoS vulnerability and security problems Steven Leikeim (Nov 26)
- Re: hard links on Linux create local DoS vulnerability and security problems Jakob Lell (Nov 24)
- Re: Re: hard links on Linux create local DoS vulnerability and security problems Jeremiah Cornelius (Nov 26)
- Re: Re: hard links on Linux create local DoS vulnerability and security problems Peter Busser (Nov 26)
- Re: Re: hard links on Linux create local DoS vulnerability and security problems Kurt Seifried (Nov 26)