Re: cp, ln, mv, install: check for vulnerable target directories

[Kaz Kylheku (Coreutils)]

On 20.09.2017 18:59, Paul Eggert wrote:
> Kaz Kylheku (Coreutils) wrote:
> > Instead of checking for what *could* go wrong, why not defend more
> > specifically against signs that the attack might be actually 
> > happening.
>
> That's what the patch is trying to do, though it looks like it should
> be improved.

There is a simple operating system fix for this: do not allow processes
to create symlinks in directories to which they only have write accesses 
via
S_IWOTH.

More precisely, the proposal is that if a process want to create a 
symlink,
then it either has to be root, or else the owner of the directory with 
S_IWUSR
asserted on the directory, or else the group owner (directly or via a
supplementary GID) with S_IWGRP asserted.  For the purposes of creating 
a
symlink, the directory is treated as if S_IWOTH is false, even if set.

The main use case for shared writable directories is /tmp and "spool" 
directories.

I can't think of a legit reason to be creating symlinks in those 
directories,
only subdirectories (in which the creator then make symlinks),
regular files, and some special objects like sockets.

A symlink in a shared writable directory is nothing more than a "name 
squatting"
trap. Ergo, don't allow that.  Or else, the responsibility for defense 
then
spreads all over the system, such as into basic utilities!