> > I tell at to run job /tmp/program. Tmp in fact is symlink to
> > /.tmp/${UID}. At checks that I have privileges to /tmp/program, and
> > places '/tmp/program' in some kind of list of things to do.
> >
> > Some time later, cron looks, and sees that luser cracker wants to exec
> > /tmp/program. But, due to some things, /tmp is no longer pointer to
> > /.tmp/crackeruid, it is pointer to /.tmp/gooduid. But cron does not
> > know that. Cron does not check permissions, now. It already done
> > so. So it executes /tmp/program. But it executes _other_, potentially
> > secret, /tmp/program.
>
> Any program that falls for this kind of problem ALREADY HAS a security
> problem: anything can have changed "/tmp/program". It could have been
> simply a symlink pointing here (access allowed) or there (no access
> allowed).
Ook, but if program did check right before read (but changed UID in
progress), than we used to have hard-to-exploit-race. Now we have
cleanly exploitable bug.
I'm not sure if this is issue or not.
> I still don't see how varlinks reduce security.
They probably do not except corner cases.
Pavel
-- I'm really pavel@atrey.karlin.mff.cuni.cz. Pavel Look at http://atrey.karlin.mff.cuni.cz/~pavel/ ;-).- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu