Michael Orlitzky { POSIX hardlink heartache }
Filing CVE-2017-18925 has reawakened in me some unprocessed feelings about hardlinks that I developed while researching CVE-2017-18188. Below I summarize my latest therapy session.
On UNIX systems, symbolic links (symlinks) can be exploited by bad guys to take over the system. By default, the standard system utilities like chown and chmod all follow symlinks, as do most libc functions like open. If root tries to change the owner or permissions on a file in a user-writable directory, then that user can often trick root into modifying the wrong file by replacing the original target with a symlink. To avoid this, you must take care to avoid following symlinks.
A parallel plight plagues hardlinks; although, as we will see, there is no such thing as “following a hardlink”—which makes it rather hard not to do.
Many programs are designed to change ownership and permissions, as root, within a user-writable directory. What do you think chown -R does?
