From owner-freebsd-security Mon Feb 26 15:37:32 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id PAA27014 for security-outgoing; Mon, 26 Feb 1996 15:37:32 -0800 (PST) Received: from gw0.telebase.com (root@gw0.telebase.com [192.132.57.100]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id PAA27007 for ; Mon, 26 Feb 1996 15:37:25 -0800 (PST) Received: from wormhole.telebase.com by gw0.telebase.com id SAA10660; Mon, 26 Feb 1996 18:37:16 -0500 (EST) Received: from odo.telebase.com (root@odo.telebase.com [172.16.2.217]) by wormhole.telebase.com (8.7.1/8.6.9.1) with ESMTP id SAA16955; Mon, 26 Feb 1996 18:37:15 -0500 (EST) Received: (from bmc@localhost) by odo.telebase.com (8.6.12/8.6.9.1) id SAA00872; Mon, 26 Feb 1996 18:37:15 -0500 Date: Mon, 26 Feb 1996 18:37:15 -0500 Message-Id: <199602262337.SAA00872@telebase.com.> From: Brian Clapper To: Nathan Lawson Cc: msmith@comtch.iea.com (Mark Smith), security@FreeBSD.ORG Subject: Re: Suspicious symlinks in /tmp In-Reply-To: <60614237@toto.iv> Sender: owner-security@FreeBSD.ORG Precedence: bulk >>>>> "Nathan" == Nathan Lawson writes: Nathan> However, the bug that I have seen for quite a while and complained Nathan> about is that a symlink is owned by the owner of the file it points Nathan> to, not by the creator of the symlink. That is a bad idea and I Nathan> really can't see the logic behind doing that. Nathan> Could someone explain this behavior? Hmmm. Doesn't work that way on my 2.1R system: % id uid=200(bmc) gid=200(bmc) groups=200(bmc), 1000(eng) % ln -s /etc/passwd . % ls -l /etc/passwd passwd -rw-r--r-- 1 root wheel 1176 Feb 16 09:59 /etc/passwd lrwxr-xr-x 1 bmc wheel 11 Feb 26 18:31 passwd -> /etc/passwd As it turns out, the symlink ends up being owned by whoever owns its parent directory--regardless of the UID of the process that created the symlink and regardless of the UID that owns the file to which it points. Thus, if I create the same symlink in /tmp (as `bmc'), the symlink is owned by `bin' (the owner of /tmp). Likewise, if I login as `root' and create the same symlink in my home directory, the symlink is owned by `bmc', not `root'. Also highly counterintuitive behavior, at least to me. ---- Brian Clapper .............................................. bmc@telebase.com http://www.netaxs.com/~bmc/ ............. PGP public key available on request And now for something completely different.