On 19.09.2017 00:25, Paul Eggert wrote:
For years cp and friends have been subject to a symlink attack, in
that seemingly-ordinary commands like 'cp a b' can overwrite arbitrary
directories that the user has access to, if b's parent directory is
world-writable and is not sticky and is manipulated by a malicious
user.
Also, it occurs to me that the attack can be perpetrated if any of the
ancestral directories are writable to another non-root user.
Suppose we have
cp passwd /alpha/beta/gamma/delta/omega
If the attacker can write to alpha, the attacker can create a symlink in
a path like this:
/home/attacker/beta/gamma/delta/omega -> <arbitrary path>
and, having write access to /alpha, the attacker can replace the
/alpha/beta directory with
this symlink:
/alpha/beta -> /home/attacker/beta
