From owner-freebsd-hackers Fri Oct 18 16:14:17 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA29984 for hackers-outgoing; Fri, 18 Oct 1996 16:14:17 -0700 (PDT) Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.211]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id QAA29979 for ; Fri, 18 Oct 1996 16:14:14 -0700 (PDT) Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id QAA02213; Fri, 18 Oct 1996 16:12:12 -0700 From: Terry Lambert Message-Id: <199610182312.QAA02213@phaeton.artisoft.com> Subject: Re: fix for symlinks in /tmp (fwd) FYI To: Andrew.Tridgell@anu.edu.au Date: Fri, 18 Oct 1996 16:12:12 -0700 (MST) Cc: terry@lambert.org, julian@whistle.com, Guido.vanRooij@nl.cis.philips.com, freebsd-hackers@FreeBSD.org In-Reply-To: <96Oct19.085025+1000est.65042-172+209@arvidsjaur.anu.edu.au> from "Andrew Tridgell" at Oct 19, 96 08:50:24 am X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk > Terry, I think you are mixing something up. My symlink patch has > absolutely nothing to do with Samba. I do have a life outside Samba > you know :-) >*Ahem*< Well, that's very different. Never mind. I'm afraid your name is synonymous with SAMBA... ;-). > My patch tries to address the general type of security hole in > unix-like systems where users create symlinks in /tmp to try to > subvert security. There have been dozens of these types of holes > reported in lots of different programs. I additionally reported > yesterday that gcc is vulnerable, so you can screw anyone that is > compiling a program on your system. > > Perhaps you should read the patch at > ftp://samba.anu.edu.au/pub/linux/symlink.patch > > I'm really after feedback answering the question "what legitimate use > for symlinks does this change in semantics break". If too many things > break then the patch is useless. > > So far I've received pretty positive feedback. Linus even likes it :-) Ah. Symlinks in BSD inherit ownership of the symlink from the directory, as of BSD 4.4. Prior to BSD 4.4, when the symlinks were stored in files instead of directory entries, it is always the target of the link whose permissions are examined, not the permissions of the link itself. Finally, the main vunerability of this type is for hard link os system files into the mail directory for the mail system to indiscriminantly "append" security violating "messages", like messages containing password entries to the mailbox /etc/passwd. I don't think BSD has ever been vunerable to a "symlink attack" in the past, let alone now, since the 't' bit never worked against symlinks like the patch comments indicate it would have to to be problematic. Did you have a particular attack in mind? Is this just an instance of the "a common place root might be running from, local-file-replacement-trojan" attack? Regards, Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.