Logfile symlink vulnerability
Eran Tromer
cygwinx2eran2eran@tromer.org
Sun Mar 21 20:34:00 GMT 2004
Hi,
If /tmp/XWin.log is a symlink, XWin will merrily follow it and write to
whatever it's pointing to (see LogInit() in os/log.c). This allows
standard symlink-following attacks.
Example: Alice runs "ln -s /home/Bob/phd-thesis.tex /tmp/XWin.log" under
her account. Later Bob runs XWin under his account; XWin fails for some
reasons and writes to /tmp/XWin.log; Bob life's work gets overwritten.
(Of course, that's interesting only if ntsec is used.)
Some possible fixes:
* Place the logfile somewhere in the user's home directory.
* Refuse to follow symlinks, or to write to existing files. Most users,
failing to clean up logs, will not get new logs after the first failure.
* Give the logfile a unique filename, a la the "uniq" utility.
Eran
More information about the Cygwin-xfree
mailing list