On 2013-09-09 21:41:00 +0200, Daniel Vérité wrote:
> Tom Lane writes:
>
> > Andres Freund <andres@2ndquadrant.com> writes:
>
> > > One would be to use open(O_NOFOLLOW)?
> >
> > That would only stop symlink attacks, not hardlink variants;
> > and it'd probably stop some legitimate use-cases too.
>
> The creation of the hardlink is denied by the OS based on the
> attacker not having sufficient permissions to the target file.
> In principle the mentioned loophole is limited to a symlink, which
> is not restricted at create time.
It only requires search privileges, doesn't it?
andres@alap2:~$ ln /etc/shadow /tmp/frak
andres@alap2:~$ cat /tmp/frak
cat: /tmp/frak: Permission denied
andres@alap2:~$ ls -l /tmp/frak
-rw-r----- 2 root shadow 1652 Jun 4 22:05 /tmp/frak
There are patches around preventing that kind of thing, but they aren't
too widespread yet.
Greetings,
Andres Freund
-- Andres Freund http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training &
Services