| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20031124195935.GA25872@SDF.LONESTAR.ORG> From: petard at freeshell.org (petard) Subject: hard links on Linux create local DoS vulnerability and security problems On Mon, Nov 24, 2003 at 07:58:17PM +0100, Michal Zalewski wrote: > But yes, hardlinks introduce a whole array of security problems and other > brain-damage scenarios (a trivia: what happens if you create a hardlink to > /usr/bin/passwd in /tmp? 1: you cannot remove it; 2: if you name it > 'r00tshell', the administrator would have a a heart attack upon spotting a > root-owned setuid binary in /tmp). This is hardly new - you can Google for > some BUGTRAQ discussions and such back in the '99 or so - but should be > brought up once in a while. If the administrator is worth her salary, you will be unable to create that hardlink because /usr/bin/passwd and /tmp will be on different partitions. This entire issue is more of a configuration issue than a Linux issue. You should never configure a multiuser system such that users can write to partitions which contain suid binaries. -- If your message really might be confidential, download my PGP key here: http://petard.freeshell.org/petard.asc and encrypt it. Otherwise, save bandwidth and lose the disclaimer.
Powered by blists - more mailing lists