From: davidsen@tmr.com (bill davidsen)
To: linux-kernel@vger.kernel.org
Subject: Re: hard links create local DoS vulnerability and security problems
Date: 24 Nov 2003 23:50:12 GMT [thread overview]
Message-ID: <bpu5fk$vsn$1@gatekeeper.tmr.com> (raw)
In-Reply-To: 200311241736.23824.jlell@JakobLell.de
In article <200311241736.23824.jlell@JakobLell.de>,
Jakob Lell <jlell@JakobLell.de> wrote:
| on Linux it is possible for any user to create a hard link to a file belonging
| to another user. This hard link continues to exist even if the original file
| is removed by the owner. However, as the link still belongs to the original
| owner, it is still counted to his quota. If a malicious user creates hard
| links for every temp file created by another user, this can make the victim
| run out of quota (or even fill up the hard disk). This makes a local DoS
| attack possible.
Of course they must be created in a directory when the evil user has
write, from a directory where the evil user has... have to check if
that's read or just evecute.
|
| Furthermore, users can even create links to a setuid binary. If there is a
| security whole like a buffer overflow in any setuid binary, a cracker can
| create a hard link to this file in his home directory.
Not unless the admin is a total bozo... remember hard links must be in
the same filesystem, and I wouldn't expect untrusted users to have write
in /usr, /var, /lib or /opt, which is where the problem might likely to
exist.
| This link still exists
| when the administrator has fixed the security whole by removing or replacing
| the insecure program. This makes it possible for a cracker to keep a security
| whole open until an exploit is available. It is even possible to create links
| to every setuid program on the system. This doesn't create new security
| wholes but makes it more likely that they are exploited.
See above, this is less likely that you make it sound.
|
| To solve the problem, the kernel shouldn't allow users to create hard links to
| files belonging to someone else.
While I think you're overblowing the problem, it is an issue which might
be addressed in SE Linux or somewhere. I have an idea on that, but I
want to look before I suggest anything.
|
| I could reproduce the problem on linux 2.2.19 and 2.4.21 (and found nothing
| about it in the changelogs to 2.4.23-rc3).
Bear in mind it isn't a "problem" it's 'expected behaviour" for the o/s,
and might even be mentioned in SuS somehow. Interesting topic, but not a
bug, since the behaviour is as intended.
--
bill davidsen <davidsen@tmr.com>
CTO, TMR Associates, Inc
Doing interesting things with little computers since 1979.
next prev parent reply other threads:[~2003-11-25 0:02 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-11-24 16:36 hard links create local DoS vulnerability and security problems Jakob Lell
2003-11-24 17:05 ` Måns Rullgård
2003-11-24 20:42 ` Mike Fedyk
2003-11-24 17:14 ` Richard B. Johnson
2003-11-24 17:35 ` Jamie Lokier
2003-11-24 18:57 ` aic7xxx loading oops in 2.6.0-test10 Alexander Nyberg
2003-11-24 20:03 ` Ken Witherow
[not found] ` <Pine.LNX.4.58.0311241524310.1245@morpheus>
2003-11-24 20:49 ` Ken Witherow
2003-11-24 23:42 ` Dick Streefland
2003-11-25 3:16 ` hard links create local DoS vulnerability and security problems Matthias Andree
2003-11-25 14:48 ` Jan Kara
2003-11-25 15:27 ` Jakob Lell
2003-11-24 17:37 ` Rudo Thomas
2003-11-24 18:10 ` Richard B. Johnson
2003-11-24 18:22 ` Valdis.Kletnieks
2003-11-24 22:17 ` [OT] " Rudo Thomas
2003-11-24 17:57 ` Jakob Lell
2003-11-24 18:08 ` splite
2003-11-24 18:13 ` Richard B. Johnson
2003-11-24 18:24 ` Jakob Lell
2003-11-24 23:57 ` bill davidsen
2003-11-24 18:18 ` Jakob Lell
2003-11-24 18:29 ` Valdis.Kletnieks
2003-11-24 19:25 ` hard links create local DoS vulnerability and security proble Mathieu Chouquet-Stringer
2003-11-24 20:00 ` Valdis.Kletnieks
2003-11-24 20:02 ` Mathieu Chouquet-Stringer
2003-11-24 20:22 ` H. Peter Anvin
2003-11-24 18:21 ` hard links create local DoS vulnerability and security problems Michael Buesch
2003-11-24 18:35 ` Jakob Lell
2003-11-24 18:53 ` Chris Wright
2003-11-25 0:04 ` bill davidsen
2003-11-25 13:54 ` Jesse Pollard
2003-11-24 23:50 ` bill davidsen [this message]
2003-11-25 0:22 ` Mike Fedyk
2003-11-25 0:35 ` Chris Wright
2003-11-25 8:15 ` Amon Ott
2003-11-25 16:11 ` Bill Davidsen
2003-11-25 11:26 ` Gianni Tedesco
[not found] <fa.hevpbbs.u5q2r6@ifi.uio.no>
[not found] ` <fa.l1quqni.v405hu@ifi.uio.no>
2003-11-24 20:54 ` Andy Lutomirski
2003-11-24 21:16 ` Linus Torvalds
2003-11-24 23:28 ` Ricky Beam
2003-11-24 22:04 ` John Bradford
2003-11-24 22:12 ` Måns Rullgård
2003-11-25 12:10 ` John Bradford
2003-11-25 12:18 ` Måns Rullgård
2003-11-25 13:12 ` John Bradford
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='bpu5fk$vsn$1@gatekeeper.tmr.com' \
--to=davidsen@tmr.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.