Logfile symlink vulnerability
Harold L Hunt II
huntharo@msu.edu
Sun Mar 21 22:07:00 GMT 2004
Eran Tromer wrote:
> Hi,
>
> If /tmp/XWin.log is a symlink, XWin will merrily follow it and write to
> whatever it's pointing to (see LogInit() in os/log.c). This allows
> standard symlink-following attacks.
>
> Example: Alice runs "ln -s /home/Bob/phd-thesis.tex /tmp/XWin.log" under
> her account. Later Bob runs XWin under his account; XWin fails for some
> reasons and writes to /tmp/XWin.log; Bob life's work gets overwritten.
In theory, but have you actually tried it and confirmed that it works
with two different users that did not already both have permissions to
overwrite the file in question?
Harold
More information about the Cygwin-xfree
mailing list