[7211] in bugtraq
Re: Linux kernel filesystem oddities
daemon@ATHENA.MIT.EDU (Jeffrey Hutzelman)
Fri Jul 10 12:07:39 1998
Date: Thu, 9 Jul 1998 15:56:59 -0400
Reply-To: Jeffrey Hutzelman <jhutz+@cmu.edu>
From: Jeffrey Hutzelman <jhutz+@CMU.EDU>
X-To: peak@kerberos.troja.mff.cuni.cz
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.95.980708213909.374E-100000@kerberos.troja.mff.cuni.cz>
> Owners are stored in i-nodes. Directory entries are nothing but
> (filename, i-node number) pairs.
>
> link("publicly-visible-file", "world-writable-directory/blah")
> is as anonymous as
> write(open("/world-writable-file", O_WRONLY), "blah", 4)
True. However, one might argue that the former should fail with
EPERM, unless you happen to own "publicly-visible-file". In fact,
I thought I saw a patch go through here a while back that did exactly
that, if "world-writable-directory" was also sticky.
In general, publicly-writable directories are a bad thing. They are
the cause (or at least part of the cause) of numerous vulnerabilites,
most much worse than the DoS attack described here.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
