OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Exploit-Dev Archives: any user can make hard links in Unix

any user can make hard links in Unix

Subject: any user can make hard links in Unix
From: Benjamin Elijah Griffin (bgriffinCDDB.COM)
Date: Tue Dec 21 1999 - 20:36:54 CST

I've talked with some people about it and found only one person who knew
about this and no one who could offer a good reason for it. So perhaps
awareness should be increased and OSs patched.

I've tested this out on SunOS 4.1; RedHat 6.0 (Linux 2.2.5-15); BSDI
BSD/OS 4.0; and NetBSD 1.4.1. Probably lots more do it.

Basically any user can make a hard link to any file IF

  A) the user knows the file exists
  B) has enough access to cd into the directory it is in
  C) has write access to any directory on the same volume

What does this gain you?

  1) If the user has read access to the writable directory, s/he
     can now stat the inode even if the original location did not
     offer read access.
  2) The user can change the ctime of the inode (fun with tripwire).
  3) Some suid programs that just checked for sym-links can perhaps
     be duped into opening or writing to files they shouldn't.
  4) Social hacks involving 'chown -R' or the like.
  5) Screw with the quota of other users and other ways to make it
     hard to delete files that should be deleted (eg large logs in
     /var)

Possibly other things.

Thanks to Alexis Rosen for his input on this.

Benjamin

This archive was generated by hypermail 2b27 : Wed Dec 22 1999 - 01:08:16 CST