Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 24 Jul 2009 00:27:19 -0700
From:      perryh@pluto.rain.com
To:        ivoras@freebsd.org
Cc:        freebsd-hackers@freebsd.org
Subject:   Re: SGID/SUID on scripts
Message-ID:  <4a696257.YpRb/zYqgBw8bwVp%perryh@pluto.rain.com>
In-Reply-To: <9bbcef730907231111s2ef20e76s5a19a6270b3b5f03@mail.gmail.com>
References:  <19939654343.20090722214221@mail.ru> <4A6795E7.7020700@darkbsd.org> <h4a2br$4mc$1@ger.gmane.org> <4a68a02b.qjV%2BUOvOtUWLEPN1%perryh@pluto.rain.com> <9bbcef730907231111s2ef20e76s5a19a6270b3b5f03@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Ivan Voras <ivoras@freebsd.org> wrote:
> 2009/7/23  <perryh@pluto.rain.com>:
> > Ivan Voras <ivoras@freebsd.org> wrote:
> >> Presumingly, the biggest concern is with scripts owned by root.
> >> Who can unlink, move or change the script? The owner and his
> >> group can change it; the directory owner can unlink it ...
> >
> > Anyone can make a link to such a script in, say, /tmp and then
> > mess with the link :(
>
> You mean setuid a soft link? That's allowed?

One can certainly make a symlink that points to a setuid file.
The permissions of the symlink itself don't matter.

IIRC the original demonstration that this exposure was real and not
just theoretical involved making -- and subsequently messing with
-- a hard link in /tmp to a setuid script in /bin, /tmp and /bin
both being on the root FS.  (This was before machines commonly had
enough RAM for tmpfs to be practical, and may have been before
symlinks even existed.)  Granted a case can be made for making /tmp
a separate FS in any event, but of course it would have worked just
as well to make a link in /usr/tmp to a setuid script in /usr/bin,
etc.  The only way to avoid the exposure would have been to ensure
that no possible attacker would have write permission to any
directory on the same FS as a setuid script to which the attacker
had execute permission -- not the easiest thing to keep track of on
an ongoing basis.  With the existence of symlinks I suspect even
that would no longer help.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4a696257.YpRb/zYqgBw8bwVp%perryh>