coreutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cp, ln, mv, install: check for vulnerable target directories

From: Kaz Kylheku (Coreutils)
Subject: Re: cp, ln, mv, install: check for vulnerable target directories
Date: Wed, 20 Sep 2017 15:58:26 -0700
User-agent: Roundcube Webmail/0.9.2 
On 19.09.2017 00:25, Paul Eggert wrote:

For years cp and friends have been subject to a symlink attack, in
that seemingly-ordinary commands like 'cp a b' can overwrite arbitrary
directories that the user has access to, if b's parent directory is
world-writable and is not sticky and is manipulated by a malicious
user.


From patch:

PE> +environment variable.)  For example, if @file{/tmp/risky/d} is a
PE> +directory whose parent @file{/tmp/risky} is is world-writable and is 
PE> +not sticky, the command @samp{cp passwd /tmp/risky/d} fails with
PE> +a diagnostic reporting a vulnerable target directory, as an attacker 
PE> +could replace @file{/tmp/risky/d} by a symbolic link to a victim
PE> +directory while @command{cp} is running.  In this example, you can
PE> +suppress the heuristic by issuing one of the following shell commands 
PE> +instead:

Instead of checking for what *could* go wrong, why not defend more
specifically against signs that the attack might be actually happening.

Somehow detect, "Uh oh! Parent is writable by another non-root user, and
the last component opened through a symlink!" while carefully guarding
against race conditions that could render such a defense tactic less than 
fully effective.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]