Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S263811AbTKXRGA (ORCPT ); Mon, 24 Nov 2003 12:06:00 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S263819AbTKXRGA (ORCPT ); Mon, 24 Nov 2003 12:06:00 -0500 Received: from main.gmane.org ([80.91.224.249]:14311 "EHLO main.gmane.org") by vger.kernel.org with ESMTP id S263811AbTKXRF5 (ORCPT ); Mon, 24 Nov 2003 12:05:57 -0500 X-Injected-Via-Gmane: http://gmane.org/ To: linux-kernel@vger.kernel.org From: mru@kth.se (=?iso-8859-1?q?M=E5ns_Rullg=E5rd?=) Subject: Re: hard links create local DoS vulnerability and security problems Date: Mon, 24 Nov 2003 18:05:53 +0100 Message-ID: References: <200311241736.23824.jlell@JakobLell.de> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@sea.gmane.org User-Agent: Gnus/5.1002 (Gnus v5.10.2) XEmacs/21.4 (Rational FORTRAN, linux) Cancel-Lock: sha1:zyyOU1LpjjB99nvSV2YUo10z/Xw= Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1923 Lines: 37 Jakob Lell writes: > on Linux it is possible for any user to create a hard link to a file > belonging to another user. This hard link continues to exist even if > the original file is removed by the owner. However, as the link > still belongs to the original owner, it is still counted to his > quota. If a malicious user creates hard links for every temp file > created by another user, this can make the victim run out of quota > (or even fill up the hard disk). This makes a local DoS attack > possible. This only make for a DoS attack if the there are user-writable directories on a filesystem that the system depends on being writable. > Furthermore, users can even create links to a setuid binary. If > there is a security whole like a buffer overflow in any setuid > binary, a cracker can create a hard link to this file in his home > directory. This link still exists when the administrator has fixed > the security whole by removing or replacing the insecure > program. This makes it possible for a cracker to keep a security > whole open until an exploit is available. It is even possible to > create links to every setuid program on the system. This doesn't > create new security holes but makes it more likely that they are > exploited. If any SUID user writable directories (/tmp, /var/various, /home) are kept on separate partitions from any SUID executables (belonging in /bin and /usr/bin), creating such links becomes impossible, and the problem vanishes. If a SUID program is found to have a security hole, the administrator should make sure he removes all links to it when deleting it, just to be safe. -- M?ns Rullg?rd mru@kth.se - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/