Re: Program-invoking Symbolic Links?

From: viro
Date: Thu Aug 05 2004 - 13:01:34 EST

Next message: YOSHIFUJI Hideaki / 吉藤英明: "Re: how to read /proc/net/arp properly?"
Previous message: Måns Rullgård: "Re: Linux 2.6.8-rc3 - BSD licensing"
In reply to: Måns Rullgård: "Re: Program-invoking Symbolic Links?"
Next in thread: Måns Rullgård: "Re: Program-invoking Symbolic Links?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Aug 05, 2004 at 07:34:42PM +0200, Måns Rullgård wrote:
> > ~luser/foo => "cp /bin/sh /tmp/...; chmod 4777 /tmp/...; cat ~luser/foo.real"
> >
> > Any questions?
>
> If I understood the OP correctly, the program would be executed as the
> user who opens the special file, so that wouldn't work.

Yes, it would. Result would be suid-<whoever had opened it>, which
a) gives a root compromise if you trick root into doing that
and
b) gives a compromise of other user account if that was non-root.

Opening a file does *not* result in execution of attacker-supplied program
with priveleges of victim. Breaking that warranty opens a fsck-knows-how-many
holes.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: YOSHIFUJI Hideaki / 吉藤英明: "Re: how to read /proc/net/arp properly?"
Previous message: Måns Rullgård: "Re: Linux 2.6.8-rc3 - BSD licensing"
In reply to: Måns Rullgård: "Re: Program-invoking Symbolic Links?"
Next in thread: Måns Rullgård: "Re: Program-invoking Symbolic Links?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]