From: Jesse Pollard <jesse@cats-chateau.net>
To: Jakob Lell <jlell@JakobLell.de>, root@chaos.analogic.com
Cc: linux-kernel@vger.kernel.org
Subject: Re: hard links create local DoS vulnerability and security problems
Date: Tue, 25 Nov 2003 07:54:57 -0600 [thread overview]
Message-ID: <03112507545800.03336@tabby> (raw)
In-Reply-To: <200311241857.41324.jlell@JakobLell.de>
On Monday 24 November 2003 11:57, Jakob Lell wrote:
> Hello
>
> On Monday 24 November 2003 18:14, Richard B. Johnson wrote:
> > On Mon, 24 Nov 2003, Jakob Lell wrote:
> > > Hello,
> > > on Linux it is possible for any user to create a hard link to a file
> > > belonging to another user. This hard link continues to exist even if
> > > the original file is removed by the owner. However, as the link still
> > > belongs to the original owner, it is still counted to his quota. If a
> > > malicious user creates hard links for every temp file created by
> > > another user, this can make the victim run out of quota (or even fill
> > > up the hard disk). This makes a local DoS attack possible.
[snip]
> >
> > A setuid binary created with a hard-link will only work as a setuid
> > binary if the directory it's in is owned by root. If you have users
> > that can create files or hard-links within such directories, you
> > have users who either know the root password already or have used
> > some exploit to become root. In any case, it's not a hard-link
> > problem
>
> Setuid-root binaries also work in a home directory.
> You can try it by doing this test:
> ln /bin/ping $HOME/ping
> $HOME/ping localhost
What? You allow users write access to a filesystem containing privileged
applications????
You really shouldn't do that. Any filesystem a user has write access to should
be mounted nosgid.
> > > To solve the problem, the kernel shouldn't allow users to create hard
> > > links to
> > > files belonging to someone else.
> >
> > No. Users must be able to create hard links to files that belong
> > to somebody else if they are readable. It's a requirement.
>
> If this is REALLY neccessary, it might be possible to prevent hard links to
> setuid binaries.
> Regards
> Jakob
You would also have to consider setgid binaries.
It also means that you have to read the inode of the source file. Right now,
only the contents of directory have to be read (the file search for the inode
number).
next prev parent reply other threads:[~2003-11-25 13:55 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-11-24 16:36 hard links create local DoS vulnerability and security problems Jakob Lell
2003-11-24 17:05 ` Måns Rullgård
2003-11-24 20:42 ` Mike Fedyk
2003-11-24 17:14 ` Richard B. Johnson
2003-11-24 17:35 ` Jamie Lokier
2003-11-24 18:57 ` aic7xxx loading oops in 2.6.0-test10 Alexander Nyberg
2003-11-24 20:03 ` Ken Witherow
[not found] ` <Pine.LNX.4.58.0311241524310.1245@morpheus>
2003-11-24 20:49 ` Ken Witherow
2003-11-24 23:42 ` Dick Streefland
2003-11-25 3:16 ` hard links create local DoS vulnerability and security problems Matthias Andree
2003-11-25 14:48 ` Jan Kara
2003-11-25 15:27 ` Jakob Lell
2003-11-24 17:37 ` Rudo Thomas
2003-11-24 18:10 ` Richard B. Johnson
2003-11-24 18:22 ` Valdis.Kletnieks
2003-11-24 22:17 ` [OT] " Rudo Thomas
2003-11-24 17:57 ` Jakob Lell
2003-11-24 18:08 ` splite
2003-11-24 18:13 ` Richard B. Johnson
2003-11-24 18:24 ` Jakob Lell
2003-11-24 23:57 ` bill davidsen
2003-11-24 18:18 ` Jakob Lell
2003-11-24 18:29 ` Valdis.Kletnieks
2003-11-24 19:25 ` hard links create local DoS vulnerability and security proble Mathieu Chouquet-Stringer
2003-11-24 20:00 ` Valdis.Kletnieks
2003-11-24 20:02 ` Mathieu Chouquet-Stringer
2003-11-24 20:22 ` H. Peter Anvin
2003-11-24 18:21 ` hard links create local DoS vulnerability and security problems Michael Buesch
2003-11-24 18:35 ` Jakob Lell
2003-11-24 18:53 ` Chris Wright
2003-11-25 0:04 ` bill davidsen
2003-11-25 13:54 ` Jesse Pollard [this message]
2003-11-24 23:50 ` bill davidsen
2003-11-25 0:22 ` Mike Fedyk
2003-11-25 0:35 ` Chris Wright
2003-11-25 8:15 ` Amon Ott
2003-11-25 16:11 ` Bill Davidsen
2003-11-25 11:26 ` Gianni Tedesco
[not found] <fa.hevpbbs.u5q2r6@ifi.uio.no>
[not found] ` <fa.l1quqni.v405hu@ifi.uio.no>
2003-11-24 20:54 ` Andy Lutomirski
2003-11-24 21:16 ` Linus Torvalds
2003-11-24 23:28 ` Ricky Beam
2003-11-24 22:04 ` John Bradford
2003-11-24 22:12 ` Måns Rullgård
2003-11-25 12:10 ` John Bradford
2003-11-25 12:18 ` Måns Rullgård
2003-11-25 13:12 ` John Bradford
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=03112507545800.03336@tabby \
--to=jesse@cats-chateau.net \
--cc=jlell@JakobLell.de \
--cc=linux-kernel@vger.kernel.org \
--cc=root@chaos.analogic.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox