Date: Fri, 18 Oct 1996 16:12:12 -0700 (MST) From: Terry Lambert <terry@lambert.org> To: Andrew.Tridgell@anu.edu.au Cc: terry@lambert.org, julian@whistle.com, Guido.vanRooij@nl.cis.philips.com, freebsd-hackers@FreeBSD.org Subject: Re: fix for symlinks in /tmp (fwd) FYI Message-ID: <199610182312.QAA02213@phaeton.artisoft.com> In-Reply-To: <96Oct19.085025%2B1000est.65042-172%2B209@arvidsjaur.anu.edu.au> from "Andrew Tridgell" at Oct 19, 96 08:50:24 am
next in thread | previous in thread | raw e-mail | index | archive | help
> Terry, I think you are mixing something up. My symlink patch has > absolutely nothing to do with Samba. I do have a life outside Samba > you know :-) >*Ahem*< Well, that's very different. Never mind. I'm afraid your name is synonymous with SAMBA... ;-). > My patch tries to address the general type of security hole in > unix-like systems where users create symlinks in /tmp to try to > subvert security. There have been dozens of these types of holes > reported in lots of different programs. I additionally reported > yesterday that gcc is vulnerable, so you can screw anyone that is > compiling a program on your system. > > Perhaps you should read the patch at > ftp://samba.anu.edu.au/pub/linux/symlink.patch > > I'm really after feedback answering the question "what legitimate use > for symlinks does this change in semantics break". If too many things > break then the patch is useless. > > So far I've received pretty positive feedback. Linus even likes it :-) Ah. Symlinks in BSD inherit ownership of the symlink from the directory, as of BSD 4.4. Prior to BSD 4.4, when the symlinks were stored in files instead of directory entries, it is always the target of the link whose permissions are examined, not the permissions of the link itself. Finally, the main vunerability of this type is for hard link os system files into the mail directory for the mail system to indiscriminantly "append" security violating "messages", like messages containing password entries to the mailbox /etc/passwd. I don't think BSD has ever been vunerable to a "symlink attack" in the past, let alone now, since the 't' bit never worked against symlinks like the patch comments indicate it would have to to be problematic. Did you have a particular attack in mind? Is this just an instance of the "a common place root might be running from, local-file-replacement-trojan" attack? Regards, Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610182312.QAA02213>