Re: Symlink vulnerabilities

[dave bl <db.pub.mail () gmail com>]

On 22 October 2011 15:39, Michal Zalewski <lcamtuf () coredump cx> wrote:
> > In any case, the *right* answer isn't to play whack-a-mole fixing /tmp races,
> > what you should be doing is using pam_namespace or similar so each user gets
> > their own /tmp namespace.
>
> That would result in counterintuitive behavior, I suppose... /tmp is a
> fairly stupid and largely unnecessary artifact of the old.
>
> If you are in charge of a distro, it would not hurt to nuke it
> altogether and change all packages in your control to use per-user
> $TMPDIR. Some third-party stuff will break - but it breaks every now
> and then anyway.

Actually in Ubuntu YAMA(Yama Linux Security Module)[0] should block
/tmp symlink attacks.
According to [1] "In Ubuntu 10.10 and later, symlinks in
world-writable sticky directories (e.g. /tmp) cannot be followed if
the follower and directory owner do not match the symlink owner. The
behavior is controllable through the
/proc/sys/kernel/yama/protected_sticky_symlinks sysctl, available via
Yama. "


[0] http://zinc.canonical.com/git?p=kees/linux-2.6.git;a=shortlog;h=refs/heads/yama
[1] https://wiki.ubuntu.com/Security/Features

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/