> The author said they have done a backup of the password file :) > That's true. The file now have two links point to it. You have to remove > all the links to the file now. > > Allowing any user to create hard links to files not owned and readable > by them create security risks, not just privacy risks. It is called > time of check > to time of use. There is an easy to understand example on Wikipedia. > https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use#Examples > So, the attacker may replace the file a root process will be working on > with a hardlink to a file not owned by them.
That example works the other way around, so it's not a good example. That example shows root runs a program that tries to open file X, then you replace file X with a link to passwd, not you having a hard link to passwd in your home account or in /tmp (if same fs as /). While you could imagine some kind of TOCTOU around you having a hard link extra, most (all?) of the operations root would do to /etc/passwd or similar files would probably just unlink the /etc/passwd link -> the old passwd contents. You end up with the only remaining link, so you waste space, but the inode is still the same, the permissions that disallow you to read the contents of the file are still the same. To repeat, if you can make a hard link named /home/you/mypwd pointing to /etc/passwd, all you do is add one entry to the /home/you/ directory. Nothing more. You can not change the inode permission flags unless you already had perms, so unless you suddenly become root later, you are not better off than before you made the link. If you do become root later, having that link is not necessary either. So all in all, you gain nothing and all you do it eat some space that counts against your quota, if enabled. > This affect Linux most because most Linux distributions suggest using > a single root partition. But Linux distributions are now having tmpfs for > /tmp by default, so creating hardlink to /etc/spwd.db is not possible... > So the attacher now create symlinks instead. They have zero effect. > I think there should be hardening to stop users from creating hardlinks > and symlinks to the file they don't own... No, at least not regarding symlinks. That part is totally not a problem in this regard. -- May the most significant bit of your life be positive.
