Re: hardlinks to setuid binaries

To: tech-security%netbsd.org@localhost
Subject: Re: hardlinks to setuid binaries
From: Valery Ushakov <uwe%stderr.spb.ru@localhost>
Date: Sat, 26 Mar 2022 17:47:20 +0300

On Sat, Mar 26, 2022 at 07:05:04 +0100, Martin Husemann wrote:

> On Fri, Mar 25, 2022 at 11:00:35PM +0000, Taylor R Campbell wrote:
> > A heavier hammer, not requiring changes to pkg_delete or anything,
> > would be to prohibit creating hard links to files with suid/sgid bits,
> > and to prohibit setting the suid/sgid bits on files with >1 link.
> 
> Instead of prohibitting those, we could require them to be done by
> the suid owner or root.

I was about to suggest that too.

There's a binary blob somewhere in the filesystem and for that blob to
become a setuid binary it must be given 1) a name and 2) u+s bit.  The
normal chmod scenario has these ordered as 1-then-2, but the described
attack achieves the same result via 2-then-1 (where 2 was previously
done by the original owner in the 1-then-2 scenario).

I'd argue that 2-then-1 scenario should have the same restrictions as
1-then-2.

-uwe

References:
- Re: hardlinks to setuid binaries
  - From: Jan Schaumann
- Re: hardlinks to setuid binaries
  - From: Taylor R Campbell
- Re: hardlinks to setuid binaries
  - From: Martin Husemann

Prev by Date: Re: hardlinks to setuid binaries
Next by Date: Re: hardlinks to setuid binaries
Previous by Thread: Re: hardlinks to setuid binaries
Next by Thread: Re: hardlinks to setuid binaries
Indexes:

Home | Main Index | Thread Index | Old Index