On 2013-09-09 21:41:00 +0200, Daniel Vérité wrote: > Tom Lane writes: > > > Andres Freund <and...@2ndquadrant.com> writes: > > > > One would be to use open(O_NOFOLLOW)? > > > > That would only stop symlink attacks, not hardlink variants; > > and it'd probably stop some legitimate use-cases too. > > The creation of the hardlink is denied by the OS based on the > attacker not having sufficient permissions to the target file. > In principle the mentioned loophole is limited to a symlink, which > is not restricted at create time.
It only requires search privileges, doesn't it? andres@alap2:~$ ln /etc/shadow /tmp/frak andres@alap2:~$ cat /tmp/frak cat: /tmp/frak: Permission denied andres@alap2:~$ ls -l /tmp/frak -rw-r----- 2 root shadow 1652 Jun 4 22:05 /tmp/frak There are patches around preventing that kind of thing, but they aren't too widespread yet. Greetings, Andres Freund -- Andres Freund http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
