Symlink attack
Edward Glowacki
glowack2@key-largo.cl.msu.edu
Thu, 2 Mar 2000 10:46:13 -0500 (EST)
Doh, DPK beat me to it! ;) And wouldn't you know it, I visited
securityfocus.com too, looking for an example! =) Fortunately PINE told
me about the incoming mail, so I aborted my message. =)
--
Edward Glowacki glowack2@msu.edu
Network Services
Michigan State University
On Thu, 2 Mar 2000, Dpk wrote:
> On Thu, Mar 02, 2000 at 10:18:59AM -0500, Alan Garrison wrote:
>
> Could someone explain in 5-10 sentences what exactly a symlink
> attack is? Is it just a permissions thing, or is it more
> complicated?
>
> Many programs create files in /tmp when they start, or while they are
> running. Since /tmp can be written to by any user, programs need to
> make sure the file they create is not a symlink or world writable.
> This is especially critical when the program runs as root.
>
> Example: Program "a" creates /tmp/a.log at startup.
>
> A user creates a symlink before the program starts, or writes
> a.log: /tmp/a.log -> /etc/passwd
>
> The /etc/passwd file is whiped and now contains logging
> information for program "a".
>
> This is even worse when the files are created world-writable, because
> then a user could write to the password file! A common,
> poor-programming hack is to create semi-random file names, like
> a-3675.log (using the pid), but then all one needs to do is write a
> script to generate a 1000 links starting at the current process id,
> etc.
>
> This should get you started... www.securityfocus.com will have
> archives of /tmp symlink attack discussions.
>
> Dennis Kelly email: dpk@egr.msu.edu
> Network Administrator phone: 353-4844
> College of Engineering pager: 232-8117
> Michigan State University
>
> _______________________________________________
> linux-user mailing list
> linux-user@egr.msu.edu
> http://www.egr.msu.edu/mailman/listinfo/linux-user
>