[1254] in linux-security and linux-alert archive
Re: [linux-security] Re: t bit and symlinks patch
daemon@ATHENA.MIT.EDU (Andrew Tridgell)
Thu Oct 24 13:40:08 1996
From: Andrew Tridgell <tridge@arvidsjaur.anu.edu.au>
To: wietse@wzv.win.tue.nl
CC: linux-security@tarsier.cv.nrao.edu
In-reply-to: <199610211637.SAA24548@wzv.win.tue.nl> (wietse@wzv.win.tue.nl)
Reply-to: Andrew.Tridgell@anu.edu.au
Date: Tue, 22 Oct 1996 09:01:36 +1000
Wietse wrote:
> Hard links, soft links, either is sufficient to attack sensitive files
> by exploiting naive programs, but the `t' bit is not a requirement at
> all. Am I missing something here?
The security problems only occur when one user is able to create a
link that affects what another users program will do. This occurs in
directories to which multiple users can write. The main examples are
/tmp, /var/spool/uucp, /var/spool/mail etc.
When you want to make such directories "safe" while still enabling
multiple users to write you set the t bit. The t bit means that only
the owner of the file can delete the file, which is normally what is
wanted in a shared directory. If you don't have the t bit set in a
shared directory then you either trust everyone who can write to the
directory or you are very insecure.
The proposed changes to the behaviour of links extends this idea by
making the t bit also limit other behaviour which is even more
dangerous than allowing people to delete files. Allowing users to
follow links owned by other users is more dangerous than allowing them
to delete files because by following links they can destroy files
anywhere on the system, not just the files created by the programs that
write to /tmp.
Cheers, Andrew