Re: varlinks! (and 2.1.98 works for me)

Rogier Wolff (R.E.Wolff@BitWizard.nl)
Wed, 29 Apr 1998 09:17:27 +0200 (MET DST)

Neal Becker wrote:
>
> >>>>> "H" == H Peter Anvin <hpa@transmeta.com> writes:
>
> H> Followup to: <199804261426.QAA01875@cave.BitWizard.nl>
> H> By author: R.E.Wolff@BitWizard.nl (Rogier Wolff)
> H> In newsgroup: linux.dev.kernel
> >>
> >> Varlinks.
> >>
> >> What are varlinks?
> >>
> >> varlinks are symlinks that have a variable part in them. An example
> >> will make things clear:
> >>
> >> id[wolff@cave ~] id
> >> uid=500(wolff) gid=500(wolff) groups=100(users),500(wolff)
> >> [wolff@cave ~] ls -lF link
> >> lrwxrwxrwx 1 wolff wolff 22 Mar 10 14:12 link -> /home/wolff/tmp/${uid}/
> >> [wolff@cave ~] cd link
> >> [wolff@cave ~/link] pwd
> >> /home/wolff/tmp/500
> >> [wolff@cave ~/link]
> >>
> >> As you see, the "${uid}" part of the link isn't taken litterally. It
> >> puts in my numeric uid.
> >>
> >> You can set variables by doing
> >>
> >> echo "HOME=/home/wolff" > /proc/$$/varlinks
> >>
> >> This sets the "HOME" variable, allowing ${HOME} function in a varlink.
> >> If the variable isn't found, the string is left untouched. This allows
> >> you to create a default. Just put it under the litteral name
> >> '${HOME}'.
> >>
>
> First, let me point out that this same subject has been discussed here
> before. Second, let me say that I have used Apollo, which had this
> feature, and I think it's a great idea. It was previously objected
> that this feature was insecure, but I've never understood this
> objection. Perhaps someone would be kind enough to provide an example.

Peter Anvin and I have been Emailing back and forth about this.
I think I now understand what he means by insecure:

Suppose I do an "lpr -s '/home/wolff/${uid}'". Then lpr will pull a
symlink which might not mean what it intended into its "secure
environment".

In this specific case, it might just print a different file than was
intended. I don't see any other problems. If the printing process
opens the file under my uid (which it should for security reasons) I
will be able to change where the symlink points. But I could've done
that already through modifying the filesystem. (just print something
that already is a symlink) The result is that I can print files that
I already had access to anyway.

Does anybody know of any other setuid applications that use the
"symlink" system call?

Actually, this varlink stuff all started to prevent /tmp exploits by
giving every EUID a different /tmp directory. The "good" way of fixing
it, is to make every program/script in the world use $TMPDIR and
making sure that everybody sets that to $HOME/tmp . I think that in
practise, it won't be possible to educate every script-writer to do
this.

Roger. 

-- 
If it's there and you can see it, it's REAL      |___R.E.Wolff@BitWizard.nl  |
If it's there and you can't see it, it's TRANSPARENT |  Tel: +31-15-2137555  |
If it's not there and you can see it, it's VIRTUAL   |__FAX:_+31-15-2138217  |
If it's not there and you can't see it, it's GONE! -- Roy Wilks, 1983  |_____|


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu