Re: hardlinks to setuid binaries

[Jan Schaumann <jschauma%netmeister.org@localhost>]

Robert Elz <kre%munnari.OZ.AU@localhost> wrote:
 
>   | Now the sysadmin updates the sudo package, fixing the
>   | vulnerability, but your ~/.sudo remains vulnerable.
> 
> It depends how the update is done.   unlink old, install new,
> will have that effect, but chmod 0 old, unlink old, install
> new does not, nor does cp new old (in all cases, with
> needed chown, chmod, etc, done after the binary update as well).

I don't think I've seen a whole lot of updates perform
these steps, and would guess that the overwhelming
majority of systems or package managers simply unlink.

In fact, what does pkgsrc do?

$ ls -ld
drwx------  2 jschauma  wheel  512 Mar 25 18:25 .
$ ls -l /usr/pkg/bin/screen-4.8.0 
-r-s--x--x  1 root  wheel  420272 Apr  4  2021 /usr/pkg/bin/screen-4.8.0
$ ln /usr/pkg/bin/screen-4.8.0
$ ls -l screen-4.8.0 
-r-s--x--x  2 root  wheel  420272 Apr  4  2021 screen-4.8.0
$ sudo pkg_delete screen
screen-4.8.0nb4: unregistering info file /usr/pkg/info/screen.info
screen-4.8.0nb4: removing /usr/pkg/bin/screen from /etc/shells
$ ls -l screen-4.8.0    
-r-s--x--x  1 root  wheel  420272 Apr  4  2021 screen-4.8.0
$

I'm not arguing that there aren't many other ways
people can prevent the problem from arising.  I'm
saying that few people will use these ways, and it
might be worth considering helping those who don't
rather than say "too bad, you're doing it wrong".

-Jan