Re: How does chown(2) works with symlinks?

Todd Graham Lewis (
Mon, 8 Jul 1996 11:27:58 -0400

On 8 Jul 1996, Thomas Koenig wrote:

> In, Linus Torvalds <> wrote:
> >which should always work the way you expect. If you use "chown()" on the
> >pathname it will change the synlink itself (if you think about it, that is
> >actually the reasonable behaviour: otherwise you could never change the owner
> >of the symlink).
> This also protects against all sorts of nasty games with symlinks,
> for example the well - known xterm bug, where the program did, as root,
> open("somefile");
> <=== user could do a "rm somefile; ln -s /etc/profile somefile"
> chown(user,group,"somefile");

Indeed. For an analysis of this class of security "features", see
_Computing Systems_, Vol. 9, no. 2, p 131, "Checking for Race Conditions
in File Access" by Matt Bishop and Michael Dilger.

Turns out aside from the xterm bug there was also a sendmail bug
(suprise!) that they got Allman to fix. Neat stuff.

Todd Graham Lewis Core Engineering Mindspring Enterprises (Standard Disclaimers) (800) 719 4664, x2804