On Sun, Jan 04, 2004 at 03:24:09AM +0200, Erno Kuusela wrote: > hello, > > the issue is specifically hard links, there is no problem with symlinks. Sorry, I meant hard links [1] > > | I'm not sure if this bug should qualify as 'grave' since it's not dpkg > | task to control who symlinks to potentially dangerous binaries. As > > no, but dpkg could handle the upgrade / safe neutralization of old setuid > binaries in the manner i described, and it doesn't. Still, it's a wishlist bug, you are asking for an improvement to solve a security situation. > > | described in the Securing Debian Manual (Mounting partitions the right way > | [1]) it is the administrator task to avoid symlink attacks (as well as DoS > | attacks due to system partitions filling up) by separating user-writable > | directories (these include /home, /tmp and /var/tmp). These directories > | should be nosuid, and nodev (and maybe noexec too even though it provides > | little protection). > > then the installer should make sure the system gets partitioned and > configured this way, or warn the user in big friendly letters. but > solving the problem with partitions is not as good solution in my > opinion, since fragmenting disks to multiple partitions can lead to > inflexibility and other problems. Notice that proper partitions _are_ one way to fix this issue [2]. Even if you fix dpkg you are still prone to DoS attacks and hardlink attacks to local binaries (/usr/local) not handled by dpkg (or even by installation of local binaries if you do it in /usr/ but do not use debian packages) > > the rest of your mail regarding dpkg code looks good to me although > i'm no expert on dpkg. I'm not either :-) Javi [1] This is a "UNIX feature" BTW. Sample references include: http://lists.insecure.org/lists/vuln-dev/1999/Dec/0027.html and http://cr.yp.to/maildisasters/postfix.19981221 (see Technical Notes) and http://www.cs.uml.edu/~acahalan/linux/obstacles.html and http://www.ussg.iu.edu/hypermail/linux/kernel/9612.1/0378.html [2] Another way to fix this issue is doing it on the kernel, like Openwall does: http://www.openwall.com/linux/README.shtml (see "Restricted links in /tmp.")
Attachment:
signature.asc
Description: Digital signature