[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: basically security of linux

--On January 16, 2009 7:29:13 PM +0100 Johannes Wiedersich <johannes@physik.blm.tu-muenchen.de> wrote:

Hash: SHA1

Boyd Stephen Smith Jr. wrote:
What about hardlinking the suid-root binaries to a hidden location,
waiting  for a security hole to be found/fixed, and then running the old
binary to  exploit the hole?

This is why compromised systems can't be trusted ever again. Taht said, there are utilities and methods for finding rogue SUID binaries. Tripwire comes to mind, there are many others too.

IIRC, a hard link is the same file called two different names. If
dpkg/apt change the file in one location (security update), the other
one will be changed as well [1]...

That only holds true of edit-in-place. Something that most packaging systems do not do, the reason being is that with the way modern systems/kernels execute code, this would modify running code (They generally mmap the code, readonly, into the processes address space).

FreeBSD atleast IIRC prevents this, Text File Busy/Text File In Use error. However, you can't create a hard link on a file you don't own, you can't do it across drives, and I don't think your hardlinked copy retains SUID bits....The last bit I could be wrong though.

You'd have to *copy* the hard linked file, but that would still not
allow you to copy it back later or to retain it's suid properties.

Am I missing something?


[1] http://en.wikipedia.org/wiki/Hard_link
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact

"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler

Reply to: