Symlink race: Difference between revisions
m clarify |
m use the same term for the link |
||
Line 5: | Line 5: | ||
== Example == |
== Example == |
||
In this naïve example, the [[Unix]] program <tt>foo</tt> is setuid. Its function is to retrieve information for the [[ |
In this naïve example, the [[Unix]] program <tt>foo</tt> is setuid. Its function is to retrieve information for the [[account (computing)|account]]s specified by the user. For "efficiency," it sorts the requested accounts into a temporary file (<tt>/tmp/foo</tt> naturally) before making the queries. |
||
The directory <tt>/tmp</tt> is world-writable. Malicious user Alice creates a symbolic link to the file <tt>/.rhosts</tt> named <tt>/tmp/foo</tt>. Then, she invokes <tt>foo</tt> with <tt>+ +</tt> as the requested account. The program creates the (temporary) file <tt>/tmp/foo</tt> (really creating <tt>/.rhosts</tt>) and puts the requested account (<tt>+ +</tt>) in it. It removes the temporary file (merely removing the symbolic link). |
The directory <tt>/tmp</tt> is world-writable. Malicious user Alice creates a symbolic link to the file <tt>/.rhosts</tt> named <tt>/tmp/foo</tt>. Then, she invokes <tt>foo</tt> with <tt>+ +</tt> as the requested account. The program creates the (temporary) file <tt>/tmp/foo</tt> (really creating <tt>/.rhosts</tt>) and puts the requested account (<tt>+ +</tt>) in it. It removes the temporary file (merely removing the symbolic link). |
Revision as of 20:36, 15 June 2005
A symlink race is a kind of software security vulnerability that results from a program creating files in an insecure manner. A malicious user can create a symbolic link to a file not otherwise accessible to him or her. When the privileged program creates a file of the same name, it actually creates the linked-to file instead, possibly inserting content provided by the malicious user.
It is called a "race" because in its typical manifestation, the program checks to see if a file by that name already exists, then creates the file. An attacker must create the link in the interval between the check and when the file is created.
Example
In this naïve example, the Unix program foo is setuid. Its function is to retrieve information for the accounts specified by the user. For "efficiency," it sorts the requested accounts into a temporary file (/tmp/foo naturally) before making the queries.
The directory /tmp is world-writable. Malicious user Alice creates a symbolic link to the file /.rhosts named /tmp/foo. Then, she invokes foo with + + as the requested account. The program creates the (temporary) file /tmp/foo (really creating /.rhosts) and puts the requested account (+ +) in it. It removes the temporary file (merely removing the symbolic link).
Now the /.rhosts contains + +, which is the incantation necessary to allow anyone to use rlogin to log into the computer as the superuser.