Re: Proposal: restrict link(2)

Thomas Koenig (
Thu, 12 Dec 1996 13:05:24 +0100 (MET)

The Deviant wrote:

>Exactly. since /etc/passwd is root.root (or root.shadow, or whatever),
>anything linked to it (/tmp/foo in this example) is also owned root.root.
>As the original author of this thread should have observed before posting,
>a user may not chown something he to or from a user or group he does not
>belong to. This "crack" will not work.

Uh, sure. Unless, that is, I can trick a root-privileged program into
chowning something in /tmp, for example. Can anybody say "xterm logging

Alternatively, consider the possibilities when a root-privileged does an
open() on a file in /tmp. I feel much more secure when I know that this
CAN'T open any valuable configuration file.

Some programs use mktemp(3). The filenames generated are predictable.
Soft links are one way of exploiting this; hard links are another.

Some of the worst attacks don't work on Linux, because of the
way it handles softlinks. Other, equivalent attacks with hard links
work because of the way symlinks are traditionally implemented in

BTW, I think Harald Koenig's suggestion is even better. Disallow
hard links unless you're the owner of the file.

Thomas Koenig,, ig25@dkauni2.bitnet.
The joy of engineering is to find a straight line on a double
logarithmic diagram.