From owner-freebsd-hackers Fri Oct 18 12:00:05 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id MAA16407 for hackers-outgoing; Fri, 18 Oct 1996 12:00:05 -0700 (PDT) Received: from gw-nl1.philips.com (gw-nl1.philips.com [192.68.44.33]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id MAA16362 for ; Fri, 18 Oct 1996 12:00:01 -0700 (PDT) Received: (from nobody@localhost) by gw-nl1.philips.com (8.6.10/8.6.10-0.994n-08Nov95) id UAA11308 for ; Fri, 18 Oct 1996 20:59:56 +0200 Received: from unknown(130.139.36.3) by gw-nl1.philips.com via smap (V1.3+ESMTP) with ESMTP id sma011204; Fri Oct 18 20:59:11 1996 Received: from spooky.lss.cp.philips.com (spooky.lss.cp.philips.com [130.144.199.105]) by smtprelay.nl.cis.philips.com (8.6.10/8.6.10-1.2.1m-961011) with ESMTP id UAA07274 for ; Fri, 18 Oct 1996 20:59:09 +0200 Received: (from guido@localhost) by spooky.lss.cp.philips.com (8.6.10/8.6.10-0.991c-08Nov95) id UAA14544 for freebsd-hackers@freebsd.org; Fri, 18 Oct 1996 20:59:09 +0200 From: Guido van Rooij Message-Id: <199610181859.UAA14544@spooky.lss.cp.philips.com> Subject: fix for symlinks in /tmp (fwd) FYI To: freebsd-hackers@freebsd.org Date: Fri, 18 Oct 1996 20:59:09 +0200 (MET DST) Reply-To: Guido.vanRooij@nl.cis.philips.com X-Mailer: ELM [version 2.4ME+ PL19 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk ----- Forwarded message from Andrew Tridgell ----- >From owner-bugtraq@NETSPACE.ORG Fri Oct 18 19:47:53 1996 Approved-By: ALEPH1@UNDERGROUND.ORG Approved-By: Andrew Tridgell Message-ID: <96Oct18.230213+1000est.65277-170+2281@arvidsjaur.anu.edu.au> Date: Fri, 18 Oct 1996 23:02:01 +1000 Reply-To: Andrew.Tridgell@anu.edu.au Sender: Bugtraq List From: Andrew Tridgell Subject: fix for symlinks in /tmp To: Multiple recipients of list BUGTRAQ I have created a patch for Linux that fixes the generic problem of security holes due to symlinks being used in /tmp. The patch changes the kernels namei code so that symlinks will not be followed if: 1) the t bit is set on the directory containing the symlink and 2) the euid of the process does not match the owner of the symlink. The patch explicitly includes root, so root will not be able to follow symlinks in /tmp unless it owns them. I believe this change fixes all the "symlink-in-/tmp" style of security holes while having a minimal impact on the normal use of symlinks. In case you don't think this change is necessary you should think about how many recent security holes in unix-like systems have been due to sloppy coding of programs that create files in /tmp. I also noticed today that gcc is vulnerable to this kind of bug (as of version 2.7.2), so potentially you can attack anyone who compiles anything on your system. I know there have been other proposed generic fixes for this style of bug, but they tend to suffer from the problem of requiring people to change the way they work. The above fix should not be very noticeable to normal users of a system. I've submitted the patch to Linus, and have also made it available on ftp://samba.anu.edu.au/pub/linux/symlink.patch The patch is against Linux kernel 2.0.22, although it should work with any recent kernel. The active part of the patch is only a few lines long. Can anyone see any problems with this proposal? Cheers, Andrew -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Andrew Tridgell Dept. of Computer Science email: Andrew.Tridgell@anu.edu.au Australian National University Phone: +61 6 254 8209 Fax: +61 6 249 0010 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ----- End of forwarded message from Andrew Tridgell -----