Bug#609455: linux-2.6: block hardlinks to non-accessible sources

To: Maximilian Gaukler <development@maxgaukler.de>, 609455@bugs.debian.org
Subject: Bug#609455: linux-2.6: block hardlinks to non-accessible sources
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 09 Jan 2011 18:32:25 +0000
Message-id: <[🔎] 1294597945.2823.14.camel@localhost>
Reply-to: Ben Hutchings <ben@decadent.org.uk>, 609455@bugs.debian.org
In-reply-to: <[🔎] 4D29E78E.10105@maxgaukler.de>
References: <[🔎] 4D29E78E.10105@maxgaukler.de>

On Sun, 2011-01-09 at 17:51 +0100, Maximilian Gaukler wrote:
> Package: linux-2.6
> Severity: wishlist
> Tags: patch
> 
> An indirect security problem in many linux systems is that a user can
> generate hardlinks to files that he may not write. I suggest adding a
> patch [1] to Debians kernel which adds a sysctl configuration option
> to forbid such hardlinks. This option should default to "allow" so
> that the default behaviour does not change.
> 
> This patch will protect against the following security problems when
> activated:
> One scenario that is described in [2] is that a user creates a
> hardlink to a suid-root binary, e.g. /bin/bash, inside his home

You seem to be a bit confused about this vulnerability.  /bin/bash is of
course not suid-root, only owned by root.

The interesting thing that can be done with suid-root binaries is to
make links to them so that if a vulnerability is discovered in them it
can be exploited even after the administrator has upgraded them.  (This
can be defended against in the package manager by removing the suid/sgid
bits before unlinking them.  I don't know whether dpkg does that yet.)

>  directory and asks the administrator to fix the permissions in this
> directory. The administrator will probably run chmod -R u+w,g+w and
> chown -R user:usergroup. Now the user is the owner of /bin/bash and
> can quickly become root.
> A rather simple case would be flooding /tmp/ with hardlinks to
> root-owned files. Even if the user is limited to a certain number of
> files, this will not be counted on his quota.
> 
> If the patch is activated, there are only few negative side effects:
> It violates POSIX specifications and might break unknown, possibly
> insecure, applications.

It doesn't violate POSIX specifications; implementations are allowed to
apply restrictions beyond the standard Unix permission checks (e.g.
SELinux).

> BTW, Ubuntu has this patch enabled by default, so it can't be too bad.

Many distributions apply many patches that are not upstream.  We
generally try to avoid doing that in the standard kernel images.

However, we may add kernel images with the 'grsec' featureset for the
next release (wheezy).

Ben.

-- 
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Bug#609455: linux-2.6: block hardlinks to non-accessible sources
  - From: Maximilian Gaukler <development@maxgaukler.de>

References:
- Bug#609455: linux-2.6: block hardlinks to non-accessible sources
  - From: Maximilian Gaukler <development@maxgaukler.de>

Prev by Date: Bug#609448: linux-source-2.6.37: source code not included for drivers/staging/ft1000/ft1000-pcmcia/boot.h?
Next by Date: Uploading linux-2.6 (2.6.32-30)
Previous by thread: Bug#609455: linux-2.6: block hardlinks to non-accessible sources
Next by thread: Bug#609455: linux-2.6: block hardlinks to non-accessible sources
Index(es):
- Date
- Thread