Hi, I've discovered a bug in Solaris 2.5 and 2.6's pax (probably others) that might be exploited somehow - at least it can open security holes if you don't know about it (like I did). The problem is that - when copying a symlink with pax - it sets the perissions of the file the symlink points to to mode 777. The file may be placed anywhere. Example: rfhs8012# cd /tmp rfhs8012# mkdir test rfhs8012# cd test rfhs8012# mkdir orig copy rfhs8012# touch non-public-file rfhs8012# ln -s `pwd`/non-public-file orig rfhs8012# ls -laL orig total 16 drwxr-xr-x 2 root other 117 Oct 5 11:05 . drwxr-xr-x 4 root other 191 Oct 5 11:05 .. -rw-r--r-- 1 root other 0 Oct 5 11:05 non-public-file rfhs8012# find . -ls 18 4 drwxr-xr-x 4 root other 191 Oct 5 11:05 . 19 4 drwxr-xr-x 2 root other 117 Oct 5 11:05 ./orig 23 4 lrwxrwxrwx 1 root other 25 Oct 5 11:05 ./orig/non-public-file -> /tmp/test/non-public-file 21 4 drwxr-xr-x 2 root other 69 Oct 5 11:04 ./copy 22 0 -rw-r--r-- 1 root other 0 Oct 5 11:05 ./non-public-file rfhs8012# pax -rw -pe -v orig copy copy/orig copy/orig/non-public-file rfhs8012# find . -ls 18 4 drwxr-xr-x 4 root other 191 Oct 5 11:05 . 19 4 drwxr-xr-x 2 root other 117 Oct 5 11:05 ./orig 23 4 lrwxrwxrwx 1 root other 25 Oct 5 11:05 ./orig/non-public-file -> /tmp/test/non-public-file 21 4 drwxr-xr-x 3 root other 106 Oct 5 11:05 ./copy 24 4 drwxr-xr-x 2 root other 117 Oct 5 11:05 ./copy/orig 25 4 lrwxrwxrwx 1 root other 25 Oct 5 11:05 ./copy/orig/non-public-file -> /tmp/test/non-public-file 22 0 -rwxrwxrwx 1 root other 0 Oct 5 11:05 ./non-public-file Et voila - the non-public-file is suddenly somewhat public(ally writeable). The problem has been reported to Sun. - Hubert -- Hubert Feyrer <hubert.feyrerat_private-regensburg.de>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:18:44 PDT