[1235] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] t bit and symlinks patch

daemon@ATHENA.MIT.EDU (Andrew Tridgell)
Fri Oct 18 11:00:55 1996

From: Andrew Tridgell <tridge@arvidsjaur.anu.edu.au>
To: linux-security@tarsier.cv.nrao.edu
CC: linux-kernel@vger.rutgers.edu, Linus.Torvalds@Helsinki.FI
Reply-to: Andrew.Tridgell@anu.edu.au
Date: 	Fri, 18 Oct 1996 22:40:52 +1000

Here is an implementation of my proposal for fixing the
"symlink-in-/tmp" style of security hole.

Please let me know if you can see any problems with this patch, or a
better way of doing it.

This patch is against kernel 2.0.22 but should work with any recent
kernel.

Cheers, Andrew



--- linux/fs/namei.c.orig	Fri Oct 18 22:21:43 1996
+++ linux/fs/namei.c	Fri Oct 18 22:07:06 1996
@@ -17,6 +17,7 @@
 #include <linux/fcntl.h>
 #include <linux/stat.h>
 #include <linux/mm.h>
+#include <linux/config.h>
 
 #define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE])
 
@@ -205,6 +206,20 @@
 		*res_inode = inode;
 		return 0;
 	}
+#ifdef CONFIG_SYMLINK_FIX
+	/* don't follow links in directories that have the t bit set
+	   if the fsuid != the owner of the link. This stops all 
+	   the nasty "symlink-in-/tmp" security holes. Note
+	   that this explicitly includes root (tridge)
+	   */
+	if (S_ISLNK(inode->i_mode) && (dir->i_mode & S_ISVTX) &&
+	    current->fsuid != inode->i_uid) {
+		iput(dir);
+		iput(inode);
+		*res_inode = NULL;
+		return -EPERM;
+	}
+#endif
 	return inode->i_op->follow_link(dir,inode,flag,mode,res_inode);
 }
 
--- linux/fs/Config.in.orig	Fri Oct 18 22:21:24 1996
+++ linux/fs/Config.in	Fri Oct 18 22:06:10 1996
@@ -6,6 +6,7 @@
 
 bool	 'Quota support' CONFIG_QUOTA
 bool	 'Mandatory lock support' CONFIG_LOCK_MANDATORY
+bool	 'Symlink security fix' CONFIG_SYMLINK_FIX
 tristate 'Minix fs support' CONFIG_MINIX_FS
 tristate 'Extended fs support' CONFIG_EXT_FS
 tristate 'Second extended fs support' CONFIG_EXT2_FS
--- linux/Documentation/Configure.help.orig	Fri Oct 18 22:22:23 1996
+++ linux/Documentation/Configure.help	Fri Oct 18 22:13:16 1996
@@ -2798,6 +2798,17 @@
   writing none of these are available. So it's safest to say N here
   unless you really know that you need this feature.
 
+Symlink security fix
+CONFIG_SYMLINK_FIX
+  A very common class of security hole on unix-like systems involves a 
+  malicious user creating a symbolic link in /tmp pointing
+  at another users file (often a file owned by root). When the victim
+  then writes to that file they inadvertently write to the wrong file.  
+  Enabling this option fixes this class of security hole by preventing
+  a process from following a link which is in a directory with the t bit
+  set unless they own the link. 
+  It is highly recommended that you say yes to this option.
+
 Minix fs support
 CONFIG_MINIX_FS
   Minix is a simple operating system used in many classes about

home help back first fref pref prev next nref lref last post