Bug#225692: A common setuid symlink issue, and possible patch to the bug

To: Erno Kuusela <erno@iki.fi>
Cc: 225692@bugs.debian.org
Subject: Bug#225692: A common setuid symlink issue, and possible patch to the bug
From: Javier Fernández-Sanguino Peña <jfs@computer.org>
Date: Sun, 4 Jan 2004 16:40:43 +0100
Message-id: <20040104154043.GA17960@dat.etsit.upm.es>
Reply-to: Javier Fernández-Sanguino Peña <jfs@computer.org>, 225692@bugs.debian.org
In-reply-to: <20040104012409.GO2410@erno.iki.fi>
References: <20040103204106.GA20881@dat.etsit.upm.es> <20040104012409.GO2410@erno.iki.fi>

On Sun, Jan 04, 2004 at 03:24:09AM +0200, Erno Kuusela wrote:
> hello,
> 
> the issue is specifically hard links, there is no problem with symlinks.

Sorry, I meant hard links [1]

> 
> | I'm not sure if this bug should qualify as 'grave' since it's not dpkg
> | task to control who symlinks to potentially dangerous binaries. As
> 
> no, but dpkg could handle the upgrade / safe neutralization of old setuid
> binaries in the manner i described, and it doesn't.

Still, it's a wishlist bug, you are asking for an improvement to solve a 
security situation.

> 
> | described in the Securing Debian Manual (Mounting partitions the right way
> | [1]) it is the administrator task to avoid symlink attacks (as well as DoS
> | attacks due to system partitions filling up) by separating user-writable
> | directories (these include /home, /tmp and /var/tmp). These directories
> | should be nosuid, and nodev (and maybe noexec too even though it provides
> | little protection).
> 
> then the installer should make sure the system gets partitioned and
> configured this way, or warn the user in big friendly letters. but
> solving the problem with partitions is not as good solution in my
> opinion, since fragmenting disks to multiple partitions can lead to
> inflexibility and other problems.

Notice that proper partitions _are_ one way to fix this issue [2]. Even if
you fix dpkg you are still prone to DoS attacks and hardlink attacks to
local binaries (/usr/local) not handled by dpkg (or even by installation of
local binaries if you do it in /usr/ but do not use debian packages)

> 
> the rest of your mail regarding dpkg code looks good to me although
> i'm no expert on dpkg.

I'm not either :-)

Javi

[1] This is a "UNIX feature" BTW.
Sample references include:
http://lists.insecure.org/lists/vuln-dev/1999/Dec/0027.html
and
http://cr.yp.to/maildisasters/postfix.19981221 (see Technical Notes)
and
http://www.cs.uml.edu/~acahalan/linux/obstacles.html
and
http://www.ussg.iu.edu/hypermail/linux/kernel/9612.1/0378.html

[2] Another way to fix this issue is doing it on the kernel, like Openwall
does: http://www.openwall.com/linux/README.shtml (see "Restricted links in
/tmp.")

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#225692: A common setuid symlink issue, and possible patch to the bug
  - From: Erno Kuusela <erno@iki.fi>

References:
- Bug#225692: A common setuid symlink issue, and possible patch to the bug
  - From: Erno Kuusela <erno@iki.fi>

Prev by Date: Bug#225692: A common setuid symlink issue, and possible patch to the bug
Next by Date: Bug#225692: A common setuid symlink issue, and possible patch to the bug
Previous by thread: Bug#225692: A common setuid symlink issue, and possible patch to the bug
Next by thread: Bug#225692: A common setuid symlink issue, and possible patch to the bug
Index(es):
- Date
- Thread