Symlink race
A symlink vulnerability ( also symlink vulnerability ) is a vulnerability that allows an attacker to overwrite arbitrary files with the privileges of the executed program.
This gap arises when a program created with elevated privileges a file in a directory to which the attacker has write access to an insecure manner. The attacker sets in advance to a symlink with the same file name to a file that he lack of permissions normally can not write. The vulnerable program does not notice the symlink and creates or overwrites the destination file. Often, the attacker has a chance to influence the content of the file.
Example
Take for example the fictional Unix program foo, determines the additional information on user accounts and is to setuid. For performance reasons, it first sorts the list of users in a temporary file: / tmp / foo.
The / tmp directory is world-writable. The attacker Alice created there before the program starts a symlink from / tmp / foo to the file / root / .rhosts. Then he calls foo with the parameter on the full name. The foo program now tries to write the string to the temporary file / tmp / foo. In reality, however, it created the file / root / .rhosts. After it has met its real object, it deletes the symlink / tmp / foo, but sums up the / root / .rhosts not.
The string was chosen deliberately in this example, the attacker because of this entry in the file / root / .rhosts means that anyone can log in as root using the program rlogin.
Ineffective countermeasures
It is not sufficient to consider before creating the file, that name does not symlink exists because between the audit and the preparation of a small window of time is ( race condition ). The attacker can increase this time window by running the vulnerable program in debugger or the system overloaded otherwise.
Countermeasures
For creating temporary files the stdlib function should be used mkstemp (3). For shell scripts, there is the mktemp program. If the file name should be specified by the program must when calling the stdlib function, the flags O_CREAT open | O_EXCL are specified. Additionally Since Linux is 3:11 the flag O_TMPFILE available.
- Vulnerability