Re: hard links create local DoS vulnerability and security problems
From: Richard B. Johnson
Date: Mon Nov 24 2003 - 13:09:12 EST
On Mon, 24 Nov 2003, Rudo Thomas wrote:
> > A setuid binary created with a hard-link will only work as a setuid
> > binary if the directory it's in is owned by root. [...]
>
> This is not true, just verified it.
>
> Rudo.
>
Really? Has your system been hacked?
Script started on Mon Nov 24 12:56:36 2003
# cat xxx.c
#include <stdio.h>
#include <unistd.h>
int main()
{
setuid(0);
setgid(0);
system("whoami");
return 0;
}
# gcc -o /tmp/xxx xxx.c
# cd /tmpo� �
# chmod 4755 xxx
# su johnson
$ pwd
/tmp
$ ./xxx
root
$ cd ~
$ cp /tmp/xxx .
$ ls -la xxx
-rwxr-xr-x 1 rjohnson guru 4887 Nov 24 12:57 xxx
$ ./xxx
rjohnson
$ chmod 4755 xxx
$ ./xxx
rjohnson
$ rm xxx
$ ln /tmp/xxx xxx
$ ./xxx
rjohnson
You have new mail in /var/spool/mail/root
$ exit
exit
Script done on Mon Nov 24 13:00:08 2003
This clearly shows that once the file exists in a non-root
directory, it will not function as setuid root.
Cheers,
Dick Johnson
Penguin : Linux version 2.4.22 on an i686 machine (797.90 BogoMips).
Note 96.31% of all statistics are fiction.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/