[1234] in linux-security and linux-alert archive
[linux-security] a /tmp solution
daemon@ATHENA.MIT.EDU (Andrew Tridgell)
Fri Oct 18 10:55:10 1996
From: Andrew Tridgell <tridge@arvidsjaur.anu.edu.au>
To: linux-security@tarsier.cv.nrao.edu
Reply-to: Andrew.Tridgell@anu.edu.au
Date: Fri, 18 Oct 1996 10:39:35 +1000
Here is yet another proposal for a generic fix to the security
problems inherent in /tmp.
Most (all?) of the problems center around using a symlink in /tmp to
redirect a sloppily written filesystem operation to another place on
the system. It seems to me that we need a way of preventing this kind
of thing without disrupting the legitimate use of symlinks. Trying to
fix every piece of code (and script) out there that might write to
/tmp is a battle we can't win.
My proposal is to change the semantics of symlinks when they are in
directories which have the 't' bit set. Specifically, the namei code
would not follow a symlink if the symlink is in a directory with the t
bit set and the euid of the process does not match the owner of the
symlink. This specifically includes the case where the euid of the
process is 0 (thus root could not follow symlinks in /tmp that it does
not own)
I think that this would prevent all the /tmp symlink attacks I have
heard of, and yet I don't think it would significantly impact on
legitimate uses for symlinks, including in /tmp.
I think that readlink() should be left alone, so "ls -l" will still
show the destination of the link. Only the namei code would be
altered.
One problem might be the performance impact of looking up the
permissions on the directory when following all symlinks, but I think
that this can be minimised with a bit of careful coding.
I know there have been other proposals on how to fix this problem, but
in each case I think that the proposed changes were a bit too
intrusive into the "normal" way people run unix boxes. I hope that the
above proposal solves this.
I started thinking about this while fixing a symlink-in-/tmp security
hole in Samba. It required some quite careful coding (much more than
just setting O_EXCL). At the same time I realised how many other
common uses for /tmp may be vulnerable.
For example, I often do things like "cat foo.dat | cut -f3 | sort -u >
/tmp/foo". I know I should instead use ~/tmp/foo but old habits die
hard. How many home-grown admin scripts are there out there that put
stuff in /tmp using shell commands like that one?
Cheers, Andrew