[32550] in bugtraq
Re: hard links on Linux create local DoS vulnerability and security problems
daemon@ATHENA.MIT.EDU (Bruno Lustosa)
Mon Nov 24 14:34:07 2003
Date: Mon, 24 Nov 2003 16:25:37 -0200
From: Bruno Lustosa <bruno@lustosa.net>
To: bugtraq@securityfocus.com
Message-ID: <20031124182537.GA20997@lustosa.net>
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="8t9RHnE3ZwKMSgU+"
Content-Disposition: inline
In-Reply-To: <200311241736.29572.jlell@JakobLell.de>
--8t9RHnE3ZwKMSgU+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
* Jakob Lell <jlell@JakobLell.de> [24-11-2003 16:11]:
> Furthermore, users can even create links to a setuid binary. If there is =
a=20
> security whole like a buffer overflow in any setuid binary, a cracker can=
=20
> create a hard link to this file in his home directory. This link still ex=
ists=20
> when the administrator has fixed the security whole by removing or replac=
ing=20
> the insecure program. This makes it possible for a cracker to keep a secu=
rity=20
> whole open until an exploit is available. It is even possible to create l=
inks=20
> to every setuid program on the system. This doesn't create new security=
=20
> wholes but makes it more likely that they are exploited.
Just checked this on 2.6.0-test9, and it will not work.
When you create a hard link to a setuid or any other file, it will
inherit the same owner and mode of the original. However, if the
original file is changed (owner, group, mode, or content), the link will
reflect those changes as well.
--=20
Bruno Lustosa, aka Lofofora | Email: bruno@lustosa.net
Network Administrator/Web Programmer | ICQ UIN: 1406477
Rio de Janeiro - Brazil |
--8t9RHnE3ZwKMSgU+
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQE/wk0hiNfNvfQ8L5IRApRaAKCAmdEW8rxST6gCpBhnZgn4oZcg2QCgqxk4
Vjs34ly93gqZQL1XYsKCMsw=
=EHWR
-----END PGP SIGNATURE-----
--8t9RHnE3ZwKMSgU+--
