[837] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] publically writable directories

daemon@ATHENA.MIT.EDU (Thomas Koenig)
Fri Jun 21 17:12:39 1996

To: linux-security@tarsier.cv.nrao.edu (linux-security)
Date: Fri, 21 Jun 1996 22:13:59 +0200 (MET DST)
From: Thomas Koenig <ig25@mvmampc66.ciw.uni-karlsruhe.de>

Following a thread on bugtraq, I checked wether Linux was indeed
vulnerable to putting symlinks into publically writable directories,
i.e. /tmp:

$ uname -s -r
Linux 2.0.0
$ rm -f myfile bar
$ cat symlink.c
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

int main()
{
    int fd;

    fd = open("myfile",O_CREAT|O_EXCL, 0600);
    if (fd == -1) {
        perror("open failed");
    }
    return 0;
}
$ cc symlink.c
$ ln -s bar myfile
$ ls -l myfile
lrwxrwxrwx   1 ig25     ig00            3 Jun 21 21:55 myfile -> bar
$ ./a.out
open failed: File exists

So, it appears that Linux 2.0.0 is safe from this attack, at least.
>From what I read on bugtraq, so are IRIX 5.3, SunOS 4.1.2 and 4.1.3_U1,
Ultrix 4.1, 4.2 and 4.3A, and DEC OSF/1 2.1 and 3.2.  IRIX 4.0.1 and
4.0.5f seem to be vulnerable, as is HP-UX 9.0.5.
-- 
Thomas Koenig, Thomas.Koenig@ciw.uni-karlsruhe.de, ig25@dkauni2.bitnet.
The joy of engineering is to find a straight line on a double
logarithmic diagram.

home help back first fref pref prev next nref lref last post