> Imagine a
> chroot() environment, for a moment - symlinks don't work to the outside,
> but hardlinking does.
If Linux ever supports hardlinked directories, I really hope there's some way
to prevent them. That's one of the reasons for the .. sanity check I thought.
Now:
* attacker discovers a directory temporarily open (bad permissions)
* attacker hardlinks to some of the files in there
* the security checker notices the link count increase
The future:
* attacker discovers a directory temporarily open (bad permissions)
* attacker hardlinks to a subdirectory in it
* you need yet another security check to check the link count on directories
matches the number of real files in it, and the check has to watch for
modifications as it is checking, etc, etc
It adds a whole new check to Linux security checkers, and a while new
incompatibility to mainstream Unix.
Maybe I'm just paranoid. But every little change like this makes me worry.
(I'm still not happy that ld.so doesn't protect execute-only binaries from
LD_PRELOADs reading their code pages, and so on... you can't depend on Linux
enforcing traditional Unix security)
David.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/