>Synopsis: Any luser can make a hardlink to a file not owned by them
>Category: system
>Environment:
System : OpenBSD 7.5
Details : OpenBSD 7.5 (GENERIC.MP) #2: Mon Sep 16 07:59:35 MDT 2024
r...@syspatch-75-arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/GENERIC.MP
Architecture: OpenBSD.arm64
Machine : arm64
>Description:
On a same filestem, /tmp or /var in www pages perhaps or perhaps even /
if they get that deep,
the risk exists that a user can archive a file away even though they
don't have permissions
to that file. It allows at least a "backup" of non-user owned files,
to be put away for
later examination. Whether this is intended or not to be this way I
don't know. It's all
ghoti to me.
>How-To-Repeat:
Script started on Wed Oct 23 19:56:16 2024
arcturus# useradd -m luser
arcturus# id luser
uid=1004(luser) gid=1004(luser) groups=1004(luser)
arcturus# su - luser
arcturus$ cd /tmp
arcturus$ ls etc/spwd.db
etc/spwd.db
arcturus$ ls -l etc/spwd.db
-rw-r----- 2 root wheel 40960 Oct 23 04:06 etc/spwd.db
arcturus$ id
uid=1004(luser) gid=1004(luser) groups=1004(luser)
arcturus$ cd myownarchive
ksh: cd: /tmp/myownarchive - No such file or directory
arcturus$ mkdir myownarchive
arcturus$ cd myownarchive
arcturus$ ln /tmp/etc/spwd.db archive-this.db
arcturus$ ls -l
total 80
-rw-r----- 3 root wheel 40960 Oct 23 04:06 archive-this.db
arcturus$ pwd
/tmp/myownarchive
arcturus$ ls -ld
drwxr-xr-x 2 luser wheel 512 Oct 23 19:57 .
arcturus$ id
uid=1004(luser) gid=1004(luser) groups=1004(luser)
arcturus$ exit
arcturus# exit
Script done on Wed Oct 23 19:57:40 2024
>Fix:
not provided. I'm sick of debating with people who want to fight. You
reason it out.
dmesg:
OpenBSD 7.5 (GENERIC.MP) #2: Mon Sep 16 07:59:35 MDT 2024
r...@syspatch-75-arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/GENERIC.MP
real mem = 4185792512 (3991MB)
avail mem = 3971821568 (3787MB)
random: good seed from bootblocks
mainbus0 at root: ACPI
psci0 at mainbus0: PSCI 1.1, SMCCC 1.1
efi0 at mainbus0: UEFI 2.7
efi0: EDK II rev 0x10000
smbios0 at efi0: SMBIOS 3.0.0
smbios0: vendor Hetzner version "20171111" date 11/11/2017
smbios0: Hetzner vServer
cpu0 at mainbus0 mpidr 0: ARM Neoverse N1 r3p1
cpu0: 0KB 64b/line 1-way L1 PIPT I-cache
cpu0: 0KB 64b/line 1-way L2 cache
cpu0:
DP,RDM,Atomic,CRC32,SHA2,SHA1,AES+PMULL,LRCPC,DPB,ASID16,PAN+ATS1E1,LO,HPDS,VH,HAFDBS,CSV3,CSV2,SBSS+MSR
cpu1 at mainbus0 mpidr 1: ARM Neoverse N1 r3p1
cpu1: 0KB 64b/line 1-way L1 PIPT I-cache
cpu1: 0KB 64b/line 1-way L2 cache
apm0 at mainbus0
agintc0 at mainbus0 shift 4:4 nirq 288 nredist 2 ipi: 0, 1, 2:
"interrupt-controller"
agintcmsi0 at agintc0
agtimer0 at mainbus0: 25000 kHz
acpi0 at mainbus0: ACPI 6.0
acpi0: sleep states
acpi0: tables DSDT FACP APIC GTDT MCFG SPCR DBG2 IORT BGRT
acpi0: wakeup devices
acpimcfg0 at acpi0
acpimcfg0: addr 0x4010000000, bus 0-255
acpiiort0 at acpi0
"ACPI0007" at acpi0 not configured
"ACPI0007" at acpi0 not configured
pluart0 at acpi0 COM0 addr 0x9000000/0x1000 irq 33
pluart0: console
"LNRO0015" at acpi0 not configured
"LNRO0015" at acpi0 not configured
"QEMU0002" at acpi0 not configured
"LNRO0005" at acpi0 not configured
"LNRO0005" at acpi0 not configured
"LNRO0005" at acpi0 not configured
"LNRO0005" at acpi0 not configured
"LNRO0005" at acpi0 not configured
"LNRO0005" at acpi0 not configured
"LNRO0005" at acpi0 not configured
"LNRO0005" at acpi0 not configured
"LNRO0005" at acpi0 not configured
"LNRO0005" at acpi0 not configured
"LNRO0005" at acpi0 not configured
"LNRO0005" at acpi0 not configured
"LNRO0005" at acpi0 not configured
"LNRO0005" at acpi0 not configured
"LNRO0005" at acpi0 not configured
"LNRO0005" at acpi0 not configured
"LNRO0005" at acpi0 not configured
"LNRO0005" at acpi0 not configured
"LNRO0005" at acpi0 not configured
"LNRO0005" at acpi0 not configured
"LNRO0005" at acpi0 not configured
"LNRO0005" at acpi0 not configured
"LNRO0005" at acpi0 not configured
"LNRO0005" at acpi0 not configured
"LNRO0005" at acpi0 not configured
"LNRO0005" at acpi0 not configured
"LNRO0005" at acpi0 not configured
"LNRO0005" at acpi0 not configured
"LNRO0005" at acpi0 not configured
"LNRO0005" at acpi0 not configured
"LNRO0005" at acpi0 not configured
"LNRO0005" at acpi0 not configured
acpipci0 at acpi0 PCI0
pci0 at acpipci0
0:4:0: io address conflict 0x8200/0x8
"Red Hat Host" rev 0x00 at pci0 dev 0 function 0 not configured
virtio0 at pci0 dev 1 function 0 "Qumranet Virtio 1.x GPU" rev 0x01
viogpu0 at virtio0: 1280x800, 32bpp
wsdisplay0 at viogpu0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
virtio0: msix per-VQ
ppb0 at pci0 dev 2 function 0 "Red Hat PCIE" rev 0x00: irq 37
pci1 at ppb0 bus 1
1:0:0: rom address conflict 0xfff80000/0x80000
virtio1 at pci1 dev 0 function 0 "Qumranet Virtio 1.x Network" rev 0x01
vio0 at virtio1: address 96:00:02:1f:61:38
virtio1: msix shared
ppb1 at pci0 dev 2 function 1 "Red Hat PCIE" rev 0x00: irq 37
pci2 at ppb1 bus 2
xhci0 at pci2 dev 0 function 0 "Red Hat xHCI" rev 0x01: msix, xHCI 0.0
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Red Hat xHCI root hub" rev 3.00/1.00
addr 1
ppb2 at pci0 dev 2 function 2 "Red Hat PCIE" rev 0x00: irq 37
pci3 at ppb2 bus 3
virtio2 at pci3 dev 0 function 0 "Qumranet Virtio 1.x Console" rev 0x01
virtio2: no matching child driver; not configured
ppb3 at pci0 dev 2 function 3 "Red Hat PCIE" rev 0x00: irq 37
pci4 at ppb3 bus 4
virtio3 at pci4 dev 0 function 0 "Qumranet Virtio 1.x Memory Balloon" rev 0x01
viomb0 at virtio3
virtio3: irq 37
ppb4 at pci0 dev 2 function 4 "Red Hat PCIE" rev 0x00: irq 37
pci5 at ppb4 bus 5
virtio4 at pci5 dev 0 function 0 "Qumranet Virtio 1.x RNG" rev 0x01
viornd0 at virtio4
virtio4: irq 37
ppb5 at pci0 dev 2 function 5 "Red Hat PCIE" rev 0x00: irq 37
pci6 at ppb5 bus 6
virtio5 at pci6 dev 0 function 0 "Qumranet Virtio 1.x SCSI" rev 0x01
vioscsi0 at virtio5: qsize 128
scsibus0 at vioscsi0: 255 targets
cd0 at scsibus0 targ 0 lun 0: <QEMU, QEMU CD-ROM, 2.5+> removable
sd0 at scsibus0 targ 0 lun 2: <HC, Volume, 2.5+> serial.HC_Volume_100841016
sd0: 102400MB, 512 bytes/sector, 209715200 sectors, thin
sd1 at scsibus0 targ 0 lun 1: <QEMU, QEMU HARDDISK, 2.5+>
sd1: 39064MB, 512 bytes/sector, 80003072 sectors, thin
virtio5: msix per-VQ
ppb6 at pci0 dev 2 function 6 "Red Hat PCIE" rev 0x00: irq 37
pci7 at ppb6 bus 7
7:0:0: rom address conflict 0xfff80000/0x80000
virtio6 at pci7 dev 0 function 0 "Qumranet Virtio 1.x Network" rev 0x01
vio1 at virtio6: address 86:00:00:52:9a:54
virtio6: msix shared
ppb7 at pci0 dev 2 function 7 "Red Hat PCIE" rev 0x00: irq 37
pci8 at ppb7 bus 8
ppb8 at pci0 dev 3 function 0 "Red Hat PCIE" rev 0x00: irq 38
pci9 at ppb8 bus 9
"Red Hat Qemu Serial" rev 0x01 at pci0 dev 4 function 0 not configured
acpige0 at acpi0 irq 41
acpibtn0 at acpi0: PWRB
uhidev0 at uhub0 port 5 configuration 1 interface 0 "QEMU QEMU USB Tablet" rev
2.00/0.00 addr 2
uhidev0: iclass 3/0
ums0 at uhidev0: 3 buttons, Z dir
wsmouse0 at ums0 mux 0
uhidev1 at uhub0 port 6 configuration 1 interface 0 "QEMU QEMU USB Keyboard"
rev 2.00/0.00 addr 3
uhidev1: iclass 3/1
ukbd0 at uhidev1: 8 variable keys, 6 key codes
wskbd0 at ukbd0 mux 1
wskbd0: connecting to wsdisplay0
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
scsibus2 at softraid0: 256 targets
sd2 at scsibus2 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006>
sd2: 38803MB, 512 bytes/sector, 79469967 sectors
root on sd2a (0c98988fe420eb15.a) swap on sd2b dump on sd2b
WARNING: clock gained 14 days
WARNING: CHECK AND RESET THE DATE!
usbdevs:
Controller /dev/usb0:
addr 01: 1b36:0000 Red Hat, xHCI root hub
super speed, self powered, config 1, rev 1.00
driver: uhub0
addr 02: 0627:0001 QEMU, QEMU USB Tablet
high speed, power 100 mA, config 1, rev 0.00, iSerial
28754-0000:00:02.1:00.0-1
driver: uhidev0
addr 03: 0627:0001 QEMU, QEMU USB Keyboard
high speed, power 100 mA, config 1, rev 0.00, iSerial
68284-0000:00:02.1:00.0-2
driver: uhidev1
