I've talked with some people about it and found only one person who knew
about this and no one who could offer a good reason for it. So perhaps
awareness should be increased and OSs patched.
I've tested this out on SunOS 4.1; RedHat 6.0 (Linux 2.2.5-15); BSDI
BSD/OS 4.0; and NetBSD 1.4.1. Probably lots more do it.
Basically any user can make a hard link to any file IF
A) the user knows the file exists
B) has enough access to cd into the directory it is in
C) has write access to any directory on the same volume
What does this gain you?
1) If the user has read access to the writable directory, s/he
can now stat the inode even if the original location did not
offer read access.
2) The user can change the ctime of the inode (fun with tripwire).
3) Some suid programs that just checked for sym-links can perhaps
be duped into opening or writing to files they shouldn't.
4) Social hacks involving 'chown -R' or the like.
5) Screw with the quota of other users and other ways to make it
hard to delete files that should be deleted (eg large logs in
/var)
Possibly other things.
Thanks to Alexis Rosen for his input on this.
Benjamin
Received on Dec 22 1999
Intro
