On Wed, 11 Dec 1996, Thomas Koenig wrote:
> The possiblities of playing around with symlinks in /tmp are well
> known and understood.
>
> However, there are also many things which can go wrong with publically
> writable directories, such as /tmp, when hard links are employed.
>
> Consider a (questionable) root-owned program which does a
> chown("/tmp/foo", uid, gid), with the sticky bit set on /tmp.
>
> If /tmp/foo is a symbolic link to /etc/passwd, all is well with Linux -
> it changes the ownership of the symbolic link (which is meaningless in
> most cases), and /etc/passwd still belongs to root.
>
> If, however, /tmp/foo is a HARD link to /etc/passwd, chown("/tmp/foo",
> uid, gid) will lead to the user owning /etc/passwd - not a desirable
> thing, in general.
>
> My proposal would be to disallow linking a file into a directory which
> has the sticky bit set unless the owner of the file is attempting this.
> In other words, Joe Random Cracker can't do a 'ln /etc/passwd /tmp/foo'
> beforehand.
>
> Comments?
I would not like to have /etc/passwd on the same file system as /tmp. I
think critical systems should have a really small root partition and
everything else should reside on separate partitions, so no hard linking
to the files mentioned is possible.
> Thomas Koenig, Thomas.Koenig@ciw.uni-karlsruhe.de, ig25@dkauni2.bitnet.
Hubert mantel@suse.de