[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: symlink attack

also sprach Mark-Walter@t-online.de <Mark-Walter@t-online.de> [2004.10.30.1735 +0200]:
> I'am interested to obtain information how an unsecure usage of the
> directory /tmp is to be avoided within a project which is called
> symlink attack.

In a symlink attack, an attacker creates a symlink, e.g.
/tmp/myapp.tmp > /etc/shadow, causing either /etc/shadow to be
truncated (DoS attack), or giving the attacker leighway to make the
application (which must run as root) overwrite the root password in
the shadow file (e.g. with a buffer overflow or another weakness in

One way to prevent this is to use O_NOFOLLOW in the open(2) call.
However, this is not POSIX. See `man 2 open` for more info.

> Especially I'am interested if it's a difference to have quota
> deactivated and a user is filling your hardisk to the limit, or
> not.

That has very little to do with symlink attacks.

If a user fills the harddisk (or sets the max file limit to 0),
processes opening files for reading are likely going to destroy the
contents as there is not enough space available to write back the
modified copy after reading it.

Please do not send copies of list mail to me; I read the list!
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer, admin, user, and author
`. `'`
  `-  Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!

Attachment: signature.asc
Description: Digital signature

Reply to: