|
From: | James Youngman |
Subject: | Re: install.c: please set unlink_dest_before_opening=false |
Date: | Sun, 25 Feb 2007 10:48:54 +0000 |
On 2/20/07, Paul Eggert <address@hidden> wrote:
POSIX makes no requirement. Other implementations are all over the map here, so I suppose we can do what is more convenient. On Solaris 10, /usr/ucb/install breaks the destination link, and /usr/sbin/install does not break it. Traditionally, coreutils has tried to be BSD-compatible, which argues for the current behavior. Has BSD behavior changed? (I took a quick look at the FreeBSD source code for what it does, and quickly became bewildered. :-)
The behaviour you are describing for /usr/sbin/install is probably more secure. Picture this: * Start with a vanilla multiuser Unix system, with a number of setuid binaries * Wait a short time * Will E. Hacker comes along and makes hard links to all the setuid binaries in (say) / and /usr. This obviously requires a hacker-writable directory on the same filesystem. He records the resulting link counts of the relevant inodes. * Wait a short time * The system administrator applies a security update to a setuid binary * The hacker performs a periodic check, and notices that the link count on his 'saved' hard link has fallen * The hacker now has access to a setuid binary which he knows has a security problem. A websearch will probably reveal an exploit. (This observation is due I think to Rob Holland). James.
[Prev in Thread] | Current Thread | [Next in Thread] |