Bugtraq mailing list archives

using Solaris pax to get files mode 777

From: feyrer () RFHS8012 FH-REGENSBURG DE (Hubert Feyrer)
Date: Mon, 5 Oct 1998 11:20:35 +0200


Hi,

I've discovered a bug in Solaris 2.5 and 2.6's pax (probably others) that
might be exploited somehow - at least it can open security holes if you
don't know about it (like I did). The problem is that - when copying a
symlink with pax - it sets the perissions of the file the symlink points
to to mode 777. The file may be placed anywhere.

Example:
rfhs8012# cd /tmp
rfhs8012# mkdir test
rfhs8012# cd test
rfhs8012# mkdir orig copy
rfhs8012# touch non-public-file
rfhs8012# ln -s `pwd`/non-public-file orig
rfhs8012# ls -laL orig
total 16
drwxr-xr-x   2 root     other        117 Oct  5 11:05 .
drwxr-xr-x   4 root     other        191 Oct  5 11:05 ..
-rw-r--r--   1 root     other          0 Oct  5 11:05 non-public-file
rfhs8012# find . -ls
   18    4 drwxr-xr-x  4 root     other         191 Oct  5 11:05 .
   19    4 drwxr-xr-x  2 root     other         117 Oct  5 11:05 ./orig
   23    4 lrwxrwxrwx  1 root     other          25 Oct  5 11:05 ./orig/non-public-file -> /tmp/test/non-public-file
   21    4 drwxr-xr-x  2 root     other          69 Oct  5 11:04 ./copy
   22    0 -rw-r--r--  1 root     other           0 Oct  5 11:05 ./non-public-file
rfhs8012# pax -rw -pe -v orig copy
copy/orig
copy/orig/non-public-file
rfhs8012# find . -ls
   18    4 drwxr-xr-x  4 root     other         191 Oct  5 11:05 .
   19    4 drwxr-xr-x  2 root     other         117 Oct  5 11:05 ./orig
   23    4 lrwxrwxrwx  1 root     other          25 Oct  5 11:05 ./orig/non-public-file -> /tmp/test/non-public-file
   21    4 drwxr-xr-x  3 root     other         106 Oct  5 11:05 ./copy
   24    4 drwxr-xr-x  2 root     other         117 Oct  5 11:05 ./copy/orig
   25    4 lrwxrwxrwx  1 root     other          25 Oct  5 11:05 ./copy/orig/non-public-file -> 
/tmp/test/non-public-file
   22    0 -rwxrwxrwx  1 root     other           0 Oct  5 11:05 ./non-public-file

Et voila - the non-public-file is suddenly somewhat public(ally
writeable). The problem has been reported to Sun.


 - Hubert

--
Hubert Feyrer <hubert.feyrer () informatik fh-regensburg de>

Current thread:

using Solaris pax to get files mode 777 Hubert Feyrer (Oct 05)
- <Possible follow-ups>
- Re: using Solaris pax to get files mode 777 Victor Lavrenko (Oct 06)
  - Re: using Solaris pax to get files mode 777 Matthew Patton (Oct 11)
  - Annoying Solaris/CDE/NIS+ bug dbell (Oct 12)
    - Re: Annoying Solaris/CDE/NIS+ bug Jeff Horwitz (Oct 13)
  - CERT Advisory CA-98.12 - mountd Aleph One (Oct 12)