Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 4 Oct 1999 08:26:04 -0400
From:      freebsd-security@progressive-comp.com
To:        freebsd-security@FreeBSD.ORG
Subject:   Re: [Fwd: Truth about ssh 1.2.27 vulnerabiltiy]
Message-ID:  <199910041226.IAA14566@mailer.progressive-comp.com>

next in thread | raw e-mail | index | archive | help
On 1999-10-02, "Michael Bryan" <fbsd-security@ursine.com> wrote:


> On 9/29/99 at 10:01 PM Warner Losh wrote:
> > 
> > FreeBSD should follow symlinks.  In fact in the base system we have
> > /dev/log which points to /var/run/log.

> Would it make sense to have the following behaviour when bind()
> encounters a symlink?

>     1)  If a symlink exists and points to a valid Unix-domain
>         socket, go ahead and follow the link.

>     2)  If a symlink points to something other than a valid
>         Unix-domain socket, including a filename that does
>         not yet exist, then do not follow the symlink, and
>         return an appropriate error.

> This still allows /dev/log -> /var/run/log to work, but prevents
> abuse in cases of poor code like in ssh.

Hm, or more generally, modify the kernel such that no symlink in a world-
writeable and/or +t directory will be followed by a process unless it is
owned by root or the UID/EUID of the process.  This is what Solar
Designer's patches for Linux have done for some time now.  It seems to
break little (nothing, except POSIX? ;) and is quite effective.  SolarD's
patches are at http://www.openwall.com/, but here's the appropriate snippet
as a teaser, since code (albeit linux-specific, of course) speaks louder
than words:

in fs/namei.c:follow_link():

+#ifdef CONFIG_SECURE_LINK
+/*
+ * Don't follow links that we don't own in +t directories, unless the link
+ * is owned by root.
+ */
+	if (S_ISLNK(inode->i_mode) && (dir->i_mode & S_ISVTX) &&
+	    inode->i_uid &&
+	    current->fsuid != inode->i_uid) {
+		security_alert("not followed symlink of %d.%d "
+			"by UID %d, EUID %d, process %s:%d",
+			"symlinks not followed",
+			inode->i_uid, inode->i_gid,
+			current->uid, current->euid,
+			current->comm, current->pid);
+		iput(dir);
+		iput(inode);
+		*res_inode = NULL;
+		return -EPERM;
+	}
+#endif

--
Hank Leininger <hlein@progressive-comp.com> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199910041226.IAA14566>