Proposal: restrict link(2)

Thomas Koenig (ig25@mvmap66.ciw.uni-karlsruhe.de)
Wed, 11 Dec 1996 10:21:09 +0100 (MET)


The possiblities of playing around with symlinks in /tmp are well
known and understood.

However, there are also many things which can go wrong with publically
writable directories, such as /tmp, when hard links are employed.

Consider a (questionable) root-owned program which does a
chown("/tmp/foo", uid, gid), with the sticky bit set on /tmp.

If /tmp/foo is a symbolic link to /etc/passwd, all is well with Linux -
it changes the ownership of the symbolic link (which is meaningless in
most cases), and /etc/passwd still belongs to root.

If, however, /tmp/foo is a HARD link to /etc/passwd, chown("/tmp/foo",
uid, gid) will lead to the user owning /etc/passwd - not a desirable
thing, in general.

My proposal would be to disallow linking a file into a directory which
has the sticky bit set unless the owner of the file is attempting this.
In other words, Joe Random Cracker can't do a 'ln /etc/passwd /tmp/foo'
beforehand.

Comments?

-- 
Thomas Koenig, Thomas.Koenig@ciw.uni-karlsruhe.de, ig25@dkauni2.bitnet.
The joy of engineering is to find a straight line on a double
logarithmic diagram.