[837] in linux-security and linux-alert archive
[linux-security] publically writable directories
daemon@ATHENA.MIT.EDU (Thomas Koenig)
Fri Jun 21 17:12:39 1996
To: linux-security@tarsier.cv.nrao.edu (linux-security)
Date: Fri, 21 Jun 1996 22:13:59 +0200 (MET DST)
From: Thomas Koenig <ig25@mvmampc66.ciw.uni-karlsruhe.de>
Following a thread on bugtraq, I checked wether Linux was indeed
vulnerable to putting symlinks into publically writable directories,
i.e. /tmp:
$ uname -s -r
Linux 2.0.0
$ rm -f myfile bar
$ cat symlink.c
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
int main()
{
int fd;
fd = open("myfile",O_CREAT|O_EXCL, 0600);
if (fd == -1) {
perror("open failed");
}
return 0;
}
$ cc symlink.c
$ ln -s bar myfile
$ ls -l myfile
lrwxrwxrwx 1 ig25 ig00 3 Jun 21 21:55 myfile -> bar
$ ./a.out
open failed: File exists
So, it appears that Linux 2.0.0 is safe from this attack, at least.
>From what I read on bugtraq, so are IRIX 5.3, SunOS 4.1.2 and 4.1.3_U1,
Ultrix 4.1, 4.2 and 4.3A, and DEC OSF/1 2.1 and 3.2. IRIX 4.0.1 and
4.0.5f seem to be vulnerable, as is HP-UX 9.0.5.
--
Thomas Koenig, Thomas.Koenig@ciw.uni-karlsruhe.de, ig25@dkauni2.bitnet.
The joy of engineering is to find a straight line on a double
logarithmic diagram.