> Huh? If attacker can link something outside of chroot jail you
> are _already_ screwed - he can just access it directly.
A local user can make restricted files available for anonymous FTP if
he has write access somewhere inside the jail. A bit far fetched, I
admit. A more plausible scenario is a user jailed in order to have
access to special resouces in a safe manner, and an accomplice on the
outside giving him access to additional (setuid) programs by linking
them into the jail.
> > Think chmod() (by the admin after the "rogue" link()).
>
> s/admin/luser with root/. That's what find(1) is for. Blind
> recursive _anything_ in places you don't control is asking for
> trouble.
Huh? I'm thinking:
A creates a file which will contain a list of all students and their
grades ("umask 002" rules :-)
B links to the file
A realizes he forgot to protect the directory
A fills in the list
B reads the list at leisure, and makes a fortune on blackmail. Or
perhaps on private lessons.
The nlink is easily overlooked.
> > Hardlinks are seldom used by ordinary users, anyway, since they
> > can't cross device boundaries.
>
> Absolute BS. Subtrees from the homedir rarely span over
> several filesystems.
Of course, but I own or have write access to all the files in my
homedir, so that doesn't matter. Our users are spread out on 108(!)
different partitions. The odds that two students cooperating on some
project are on the same partition are miniscule.
I think the advantages outweigh the disadvantages, but it should be a
mount option, of course.
Kjetil T.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/