Peter Anvin and I have been Emailing back and forth about this.
I think I now understand what he means by insecure:
Suppose I do an "lpr -s '/home/wolff/${uid}'". Then lpr will pull a
symlink which might not mean what it intended into its "secure
environment".
In this specific case, it might just print a different file than was
intended. I don't see any other problems. If the printing process
opens the file under my uid (which it should for security reasons) I
will be able to change where the symlink points. But I could've done
that already through modifying the filesystem. (just print something
that already is a symlink) The result is that I can print files that
I already had access to anyway.
Does anybody know of any other setuid applications that use the
"symlink" system call?
Actually, this varlink stuff all started to prevent /tmp exploits by
giving every EUID a different /tmp directory. The "good" way of fixing
it, is to make every program/script in the world use $TMPDIR and
making sure that everybody sets that to $HOME/tmp . I think that in
practise, it won't be possible to educate every script-writer to do
this.
Roger.
-- If it's there and you can see it, it's REAL |___R.E.Wolff@BitWizard.nl | If it's there and you can't see it, it's TRANSPARENT | Tel: +31-15-2137555 | If it's not there and you can see it, it's VIRTUAL |__FAX:_+31-15-2138217 | If it's not there and you can't see it, it's GONE! -- Roy Wilks, 1983 |_____|- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu