Full Disclosure mailing list archives
Re: hard links on Linux create local DoS vulnerability and security problems
From: Brian Bennett <bahamat () digitalelf net>
Date: Mon, 24 Nov 2003 12:20:50 -0600
On Mon, Nov 24, 2003 at 05:36:29PM +0100, Jakob Lell wrote:
Hello, on Linux it is possible for any user to create a hard link to a file belonging to another user. This hard link continues to exist even if the original file is removed by the owner. However, as the link still belongs to the original owner, it is still counted to his quota. If a malicious user creates hard links for every temp file created by another user, this can make the victim run out of quota (or even fill up the hard disk). This makes a local DoS attack possible.
Hard links can only be created on the same device (i.e., you can't create a hardlink to a file residing on a different partition). This in itself will prevent any type of attack. Anybody who uses the same partition for /home and / on a production multi-user system is asking for trouble. As for users creating hardlinks to other users' files, a simple find -uid will locate any offending files for quota purposes. If there's a concern about users reading other users' files, well that's what permission modes are for. It is also notable, that Linux behaves identically to Solaris in this regard. Not that Solaris is perfect, but it's been in use long enough that if current security was inadequate this would have been dealt with some time ago. -- Brian Bennett bahamat () digitalelf net http://digitalelf.net/ It is undignified for a woman to play servant to a man who is not hers. -- Spock, "Amok Time", stardate 3372.7
Attachment:
signature.asc
Description: Digital signature
Current thread:
- hard links on Linux create local DoS vulnerability and security problems Jakob Lell (Nov 24)
- Re: hard links on Linux create local DoS vulnerability and security problems Brian Bennett (Nov 24)
- Re: hard links on Linux create local DoS vulnerability and security problems Michal Zalewski (Nov 24)
- Re: hard links on Linux create local DoS vulnerability and security problems petard (Nov 24)
- Re: hard links on Linux create local DoS vulnerability and security problems Jakob Lell (Nov 24)
- Re: hard links on Linux create local DoS vulnerability and security problems Valdis . Kletnieks (Nov 25)
- Re: hard links on Linux create local DoS vulnerability and security problems petard (Nov 24)
- Re: hard links on Linux create local DoS vulnerability and security problems Zow (Nov 25)
- Re: hard links on Linux create local DoS vulnerability and security problems vb (Nov 25)
- Message not available
- Re: hard links on Linux create local DoS vulnerability and security problems Steven Leikeim (Nov 26)
- Re: hard links on Linux create local DoS vulnerability and security problems Jakob Lell (Nov 24)
- Re: Re: hard links on Linux create local DoS vulnerability and security problems Jeremiah Cornelius (Nov 26)