From: "David E. O'Brien"Subject: Re: Vulnerabilities minutes, 5 Nov 1997 > ---- ATTACKS #3 ---- > FUNDAMENTAL VULNERABILITIES: Inconsistency when a symbolic link is > used: the SUID program checks the ownership of the symbolic link but > not the target of the symbolic link. Actually nm /usr/dt/bin/sdtcm_convert shows only stat(2) and fstat(2) are called. lstat(2) isn't used. Thus the authors never even considered symlinks. As a side note, we need to be more exact as to the type of system (OS and version) on this one. Different systems have different symlink symantics. For instance: BSD --- -r--r--r-- 1 root wheel 3425 Nov 6 04:27 root-owned lrwxrwxrwx 1 root wheel 10 Nov 6 04:28 root-sym@ -> root-owned lrwxrwxrwx 1 obrien wheel 10 Nov 6 04:27 sym@ -> root-owned HP-UX ----- -r--r--r-- 1 root root 337 Jun 10 1996 root-owned lrwxr-xr-x 1 root users 10 Nov 6 04:31 root-sym@ -> root-owned lrwx------ 1 obrien users 10 Nov 6 04:31 sym@ -> root-owned Notice that on BSD the symlink's permissions are 777, meaning the access permissions are taken from the target of the link. On HP-UX the symlink's perms are a function of the umask setting (plus adding ``a+x'' for some reason). The system call to get symlink information is lstat(2). Note this from the BSD manpage: Lstat() is like stat() except in the case where the named file is a symbolic link, in which case lstat() returns information about the link, while stat() returns information about the file the link references. Unlike other filesystem objects, symbolic links do not have an owner, group, access mode, times, etc. Instead, these attributes are taken from the directory that contains the link. The only attributes returned from an lstat() that refer to the symbolic link itself are the file type (S_IFLNK), size, blocks, and link count (always 1). I don't understand why they say symlinks don't have an owner. lstat(2) seems to provide useful and accurate information for most of the members of ``struct stat''. The HP-UX lstat(2) manpage is less clear about ownership. Also note what seems to be a contradiction about file modes: For symbolic links, the st_mode member will contain meaningful information when used with the file type macros, and the st_size member will contain the length of the pathname contained in the symbolic link. File mode bits and the contents of the remaining members of the stat structure are unspecified. The value returned in the st_size member is the length of the contents of the symbolic link, and does not count any trailing null. -- -- David (obrien@NUXI.ucdavis.edu)