On 19.09.2017 00:25, Paul Eggert wrote:
For years cp and friends have been subject to a symlink attack, in
that seemingly-ordinary commands like 'cp a b' can overwrite arbitrary
directories that the user has access to, if b's parent directory is
world-writable and is not sticky and is manipulated by a malicious
user.
From patch:
PE> +environment variable.) For example, if @file{/tmp/risky/d} is a
PE> +directory whose parent @file{/tmp/risky} is is world-writable and
is
PE> +not sticky, the command @samp{cp passwd /tmp/risky/d} fails with
PE> +a diagnostic reporting a vulnerable target directory, as an
attacker
PE> +could replace @file{/tmp/risky/d} by a symbolic link to a victim
PE> +directory while @command{cp} is running. In this example, you can
PE> +suppress the heuristic by issuing one of the following shell
commands
PE> +instead:
Instead of checking for what *could* go wrong, why not defend more
specifically against signs that the attack might be actually happening.
Somehow detect, "Uh oh! Parent is writable by another non-root user, and
the last component opened through a symlink!" while carefully guarding
against race conditions that could render such a defense tactic less
than
fully effective.
