OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 3rd quarter (Jul-Sep) 1998: Re: Linux kernel filesystem oddities

Re: Linux kernel filesystem oddities

Jeffrey Hutzelman (jhutz+cmu.edu)
Thu, 9 Jul 1998 15:56:59 -0400

> Owners are stored in i-nodes. Directory entries are nothing but
> (filename, i-node number) pairs.
>
> link("publicly-visible-file", "world-writable-directory/blah")
>                 is as anonymous as
> write(open("/world-writable-file", O_WRONLY), "blah", 4)

True.  However, one might argue that the former should fail with
EPERM, unless you happen to own "publicly-visible-file".  In fact,
I thought I saw a patch go through here a while back that did exactly
that, if "world-writable-directory" was also sticky.

In general, publicly-writable directories are a bad thing.  They are
the cause (or at least part of the cause) of numerous vulnerabilites,
most much worse than the DoS attack described here.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+cmu.edu>
   Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA