[8120] in bugtraq
using Solaris pax to get files mode 777
daemon@ATHENA.MIT.EDU (Hubert Feyrer)
Mon Oct 5 16:57:03 1998
Date: Mon, 5 Oct 1998 11:20:35 +0200
Reply-To: Hubert Feyrer <feyrer@RFHS8012.FH-REGENSBURG.DE>
From: Hubert Feyrer <feyrer@RFHS8012.FH-REGENSBURG.DE>
To: BUGTRAQ@NETSPACE.ORG
Hi,
I've discovered a bug in Solaris 2.5 and 2.6's pax (probably others) that
might be exploited somehow - at least it can open security holes if you
don't know about it (like I did). The problem is that - when copying a
symlink with pax - it sets the perissions of the file the symlink points
to to mode 777. The file may be placed anywhere.
Example:
rfhs8012# cd /tmp
rfhs8012# mkdir test
rfhs8012# cd test
rfhs8012# mkdir orig copy
rfhs8012# touch non-public-file
rfhs8012# ln -s `pwd`/non-public-file orig
rfhs8012# ls -laL orig
total 16
drwxr-xr-x 2 root other 117 Oct 5 11:05 .
drwxr-xr-x 4 root other 191 Oct 5 11:05 ..
-rw-r--r-- 1 root other 0 Oct 5 11:05 non-public-file
rfhs8012# find . -ls
18 4 drwxr-xr-x 4 root other 191 Oct 5 11:05 .
19 4 drwxr-xr-x 2 root other 117 Oct 5 11:05 ./orig
23 4 lrwxrwxrwx 1 root other 25 Oct 5 11:05 ./orig/non-public-file -> /tmp/test/non-public-file
21 4 drwxr-xr-x 2 root other 69 Oct 5 11:04 ./copy
22 0 -rw-r--r-- 1 root other 0 Oct 5 11:05 ./non-public-file
rfhs8012# pax -rw -pe -v orig copy
copy/orig
copy/orig/non-public-file
rfhs8012# find . -ls
18 4 drwxr-xr-x 4 root other 191 Oct 5 11:05 .
19 4 drwxr-xr-x 2 root other 117 Oct 5 11:05 ./orig
23 4 lrwxrwxrwx 1 root other 25 Oct 5 11:05 ./orig/non-public-file -> /tmp/test/non-public-file
21 4 drwxr-xr-x 3 root other 106 Oct 5 11:05 ./copy
24 4 drwxr-xr-x 2 root other 117 Oct 5 11:05 ./copy/orig
25 4 lrwxrwxrwx 1 root other 25 Oct 5 11:05 ./copy/orig/non-public-file -> /tmp/test/non-public-file
22 0 -rwxrwxrwx 1 root other 0 Oct 5 11:05 ./non-public-file
Et voila - the non-public-file is suddenly somewhat public(ally
writeable). The problem has been reported to Sun.
- Hubert
--
Hubert Feyrer <hubert.feyrer@informatik.fh-regensburg.de>
