Re: hardlinks to setuid binaries

To: tech-security%netbsd.org@localhost
Subject: Re: hardlinks to setuid binaries
From: Jan Schaumann <jschauma%netmeister.org@localhost>
Date: Fri, 25 Mar 2022 17:34:54 -0400

Michael Richardson <mcr%sandelman.ca@localhost> wrote:
> Jan Schaumann <jschauma%netmeister.org@localhost> wrote:
>     > Suppose you have a setuid /usr/pkg/bin/sudo from sudo version 1.8.11,
>     > which is vulnerable to CVE-2014-9680.  You create a hardlink in your
>     > home directory, so you get setuid, owned by root, mode 511 '~/sudo'.
> 
> So, that would require that all pieces be on the same partition.
> 
> I would claim that /home should be mounted nosuid, and that it wasn't is
> really the bug.

Ok, so repeat the example on the same partition, say
/var/tmp (which, even if /tmp is more commonly now a
tmpfs, may not be).

I don't think demanding that all installs everywhere
have a 100% clean separation of setuid binaries from
user writable directories is a realistic solution.

FWIW, FreeBSD also seems to prohibit this; I haven't
checked OpenBSD.

-Jan

References:
- hardlinks to setuid binaries
  - From: Jan Schaumann
- Re: hardlinks to setuid binaries
  - From: Michael Richardson

Prev by Date: Re: hardlinks to setuid binaries
Next by Date: Re: hardlinks to setuid binaries
Previous by Thread: Re: hardlinks to setuid binaries
Next by Thread: Re: hardlinks to setuid binaries
Indexes:

Home | Main Index | Thread Index | Old Index