[GLLUG] Sharing /tmp Among Distros

Ben Pfaff blp at cs.stanford.edu
Thu Jun 12 21:10:49 EDT 2003


"C. Ulrich" <dincht at securenym.net> writes:

> Okay, this makes sense. That's exactly how symlinks are supposed to work. And
> I am convinced that caution is needed when "cleaning" /tmp. But I'm still not
> entirely clear on how an attacker could use this. rm, for example, doesn't
> care whether the symlink points to a directory or file, it just sees a symlink
> and gets rid of it without checking to see what's behind it. You'd have to
> manually do "rm /tmp/dir/passwd", which wouldn't work for a non-root user
> since they don't have permission to most or all files in /etc. Root would have
> to be tricked into doing unlink("/tmp/dir/passwd"), which would follow the
> symlink to /etc/passwd, but then if this were case then unlink("/etc/passwd")
> would work just as well and you have bigger things to worry about than symlink
> expansion. :P

tmp cleaners run as root so that they can delete everyone's
files.
-- 
Aim to please, shoot to kill.



More information about the linux-user mailing list