Re: security warning

Alan Cox (alan@lxorguk.ukuu.org.uk)
Tue, 16 Dec 1997 22:25:26 +0000 (GMT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Linus Torvalds: "Re: security warning"
Previous message: Alan Cox: "Re: NFS problem in 2.0.32"

> I think Linux currently allows following a symlink for just about anything
> (mkdir(), link()) etc, which is partly just because it's so easy to do
> with the new dentry scheme, and it is consistent. Most other unixes seem
> to allow symlink following for some things (creat) but not others (mkdir).

One problem is it follows it for a lot more than it used to. Following symlinks
on creation is bad. It causes a lot of "symlink traps". 2.0 stamps on the
symlink and tough the hacker loses. Its an issue because stuff like sendmail
checks for the problem and builds appropriately. That means standard sendmail
builds configured on 2.0 and run on 2.1 have exploitable holes for example.

There is a definite security wisdom that following a symlink as the last
component of a creation operation is bad. That is

if /foo is a symlink

mkdir /foo/bar is fine
mkdir /foo or open("/foo", O_CREAT) should error or remove it

I'll have a look at the stuff if its supposed to be easy to fix 8)

Alan

Next message: Linus Torvalds: "Re: security warning"
Previous message: Alan Cox: "Re: NFS problem in 2.0.32"