Subject: links in [/var]/tmp (was "symlink ownership")
To: None <current-users@NetBSD.ORG>
From: Lon Willett <firstname.lastname@example.org>
Date: 08/02/1995 10:25:14
Despite all the discussion about symlinks in /tmp, it seems to me the
real security aspects of them have been overlooked. Banning symlinks
and hard-links-of-files-not-owned-by-the-caller from [/var]/tmp provides
some additional level of security. Regardless of the way symlinks are
implemented (which is why I changed the "Subject" line). Consider the
You, the overworked sysadmin, installs the new super-cool mail gateway
to pass mail through to some ancient, brain-dead, obsolete network.
Unbeknownst to you, but not to the evil hacker, this contains a bug.
When converting MIME messages of type "matter-transport/sheep;
charset=outer-mongolian", it invokes, as root, a sloppily written script
grep mange body > /var/tmp/foo$$
Now the evil hacker that has access to the user account "luser" on your
machine does the following: he first figures out about what process
numbers are going to be used shortly, then links or symlinks /etc/group
to appropriate /var/tmp/fooNNNNN, and then sends a bunch of mail
messages of type "matter-transport/sheep; charset=outer-mongolian" with
Suddenly, your group file is rewritten and your system is *really*
Granted, there is a bug in this hypothetical mail gateway. And I could
probably construct hypothetical bugs to make any restriction seem like a
"security enhancement". But the subtleties of links (how many times
have you seen people confused by them? Or forgotten to take them into
account yourself?), together with the public nature of [/var]/tmp, seems
to me to be a recipe for trouble.
In summary: I consider the (admittedly) minor gain in security to be had
by banning symlinks/hard-links-to-files-you-dont-own from sticky-bit
accessed directories to be a fair trade for the (IMHO) minor
inconvenience that such a restriction causes.
And since in addition, as discussed before, such a ban provides more
accountability (when I see a file in /tmp, I know that its owner put it
there), and also prevents users from accidentally doing something like
"ln /var/mail/* /var/tmp", I consider such a ban to be a good thing.
P.S. Unfortunately, I'm on a different continent than my source code at
the moment, so I can't actually send in a patch that implements this.
But it should be easy to write.