From owner-freebsd-hackers Fri Oct 18 15:53:08 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA28573 for hackers-outgoing; Fri, 18 Oct 1996 15:53:08 -0700 (PDT) Received: from arvidsjaur (arvidsjaur.anu.edu.au [150.203.160.29]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA28568 for ; Fri, 18 Oct 1996 15:53:06 -0700 (PDT) Received: by arvidsjaur.anu.edu.au id <65042-172>; Sat, 19 Oct 1996 08:50:25 +1000 From: Andrew Tridgell To: terry@lambert.org CC: julian@whistle.com, Guido.vanRooij@nl.cis.philips.com, freebsd-hackers@FreeBSD.org In-reply-to: <199610182157.OAA02061@phaeton.artisoft.com> (message from Terry Lambert on Fri, 18 Oct 1996 14:57:58 -0700 (MST)) Subject: Re: fix for symlinks in /tmp (fwd) FYI Reply-to: Andrew.Tridgell@anu.edu.au Message-Id: <96Oct19.085025+1000est.65042-172+209@arvidsjaur.anu.edu.au> Date: Sat, 19 Oct 1996 08:50:24 +1000 Sender: owner-hackers@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk > The problem is that when you export a directory hierarchy with a hosted > OS/file server, all inferior directories (mounted or not) are expected > to be exported. > > It's as if you had an NFS server that exported /home and /usr, which > were on seperate FS's, just because you exported /. > > The problem comes in when you put a symlink in /tmp (or any other > directory to which you have access) which targets a system file. > Since the server runs as root, if it's in your hierarchy, it's > yours. > > The cannonically correct fix would be for SAMBA to export on a per > FS basis (just like NFS). It would have to do this anyway, if it > were ever migrated to kernel space, where it really belongs. Terry, I think you are mixing something up. My symlink patch has absolutely nothing to do with Samba. I do have a life outside Samba you know :-) My patch tries to address the general type of security hole in unix-like systems where users create symlinks in /tmp to try to subvert security. There have been dozens of these types of holes reported in lots of different programs. I additionally reported yesterday that gcc is vulnerable, so you can screw anyone that is compiling a program on your system. Perhaps you should read the patch at ftp://samba.anu.edu.au/pub/linux/symlink.patch I'm really after feedback answering the question "what legitimate use for symlinks does this change in semantics break". If too many things break then the patch is useless. So far I've received pretty positive feedback. Linus even likes it :-) Cheers, Andrew PS: The current version of Samba is not vulnerable to this kind of security hole anyway!