Bug#1033477: linux: symlink in sticky directory not owned 0:0 behaves weirdly (EACCES if mode 1777, okay if 1755, &c.)

Sat, 25 Mar 2023 13:15:15 -0700 

Hi,

On Sat, Mar 25, 2023 at 05:54:23PM +0100, наб wrote:
> Source: linux
> Version: 6.1.20-1
> Severity: normal
> 
> Dear Maintainer,
> 
> Here's a session that demonstrates the issue:
> -- >8 --
> /srv# echo /srv/f > f
> /srv# mkdir -m 1777 1777
> /srv# ln -s /srv/f 1777/
> /srv# chown _apt 1777/
> 
> /srv$ cat 1777/f
> cat: 1777/f: Permission denied
> /srv$ cat f
> /srv/f
> -- >8 --
> 
> Or, in short:
> -- >8 --
> $ find /srv/ -exec ls -ld {} +
> drwxr-xr-x 3 root root 4096 Mar 25 17:34 /srv/
> drwxrwxrwt 2 _apt root 4096 Mar 25 17:34 /srv/1777
> lrwxrwxrwx 1 root root    6 Mar 25 17:34 /srv/1777/f -> /srv/f
> -rw-r--r-- 1 root root    7 Mar 25 17:34 /srv/f
> -- >8 --
> 
> If you don't chown (leave it owned 0:0), the cat succeeds.
> If you make it 1755 instead of 1777, the cat succeeds as well!
> 
> This is obviously insane, but I'm assuming no-one noticed
> because no-one uses sticky directories not owned 0:0.
> 
> If you additionally mkdir 1777/dir and make an identical symlink there,
> the cat also succeeds.
> 
> Naturally, it should succeed in every scenario.

Since several releses Debian sets fs.protected_symlinks=1 by default.

>From the documentation:

| protected_symlinks
| ------------------
| 
| A long-standing class of security issues is the symlink-based
| time-of-check-time-of-use race, most commonly seen in world-writable
| directories like ``/tmp``. The common method of exploitation of this flaw
| is to cross privilege boundaries when following a given symlink (i.e. a
| root process follows a symlink belonging to another user). For a likely
| incomplete list of hundreds of examples across the years, please see:
| https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp
| 
| When set to "0", symlink following behavior is unrestricted.
| 
| When set to "1" symlinks are permitted to be followed only when outside
| a sticky world-writable directory, or when the uid of the symlink and
| follower match, or when the directory owner matches the symlink's owner.
| 
| This protection is based on the restrictions in Openwall and grsecurity.

https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html#protected-symlinks

In the above case we have a sticky world-writable directory and the
directory owner does not match the symlink owner and the follower's
uid does not match the symlink's uid.

Regards,
Salvatore

Reply via email to