Bugtraq mailing list archives
using Solaris pax to get files mode 777
From: feyrer () RFHS8012 FH-REGENSBURG DE (Hubert Feyrer)
Date: Mon, 5 Oct 1998 11:20:35 +0200
Hi, I've discovered a bug in Solaris 2.5 and 2.6's pax (probably others) that might be exploited somehow - at least it can open security holes if you don't know about it (like I did). The problem is that - when copying a symlink with pax - it sets the perissions of the file the symlink points to to mode 777. The file may be placed anywhere. Example: rfhs8012# cd /tmp rfhs8012# mkdir test rfhs8012# cd test rfhs8012# mkdir orig copy rfhs8012# touch non-public-file rfhs8012# ln -s `pwd`/non-public-file orig rfhs8012# ls -laL orig total 16 drwxr-xr-x 2 root other 117 Oct 5 11:05 . drwxr-xr-x 4 root other 191 Oct 5 11:05 .. -rw-r--r-- 1 root other 0 Oct 5 11:05 non-public-file rfhs8012# find . -ls 18 4 drwxr-xr-x 4 root other 191 Oct 5 11:05 . 19 4 drwxr-xr-x 2 root other 117 Oct 5 11:05 ./orig 23 4 lrwxrwxrwx 1 root other 25 Oct 5 11:05 ./orig/non-public-file -> /tmp/test/non-public-file 21 4 drwxr-xr-x 2 root other 69 Oct 5 11:04 ./copy 22 0 -rw-r--r-- 1 root other 0 Oct 5 11:05 ./non-public-file rfhs8012# pax -rw -pe -v orig copy copy/orig copy/orig/non-public-file rfhs8012# find . -ls 18 4 drwxr-xr-x 4 root other 191 Oct 5 11:05 . 19 4 drwxr-xr-x 2 root other 117 Oct 5 11:05 ./orig 23 4 lrwxrwxrwx 1 root other 25 Oct 5 11:05 ./orig/non-public-file -> /tmp/test/non-public-file 21 4 drwxr-xr-x 3 root other 106 Oct 5 11:05 ./copy 24 4 drwxr-xr-x 2 root other 117 Oct 5 11:05 ./copy/orig 25 4 lrwxrwxrwx 1 root other 25 Oct 5 11:05 ./copy/orig/non-public-file -> /tmp/test/non-public-file 22 0 -rwxrwxrwx 1 root other 0 Oct 5 11:05 ./non-public-file Et voila - the non-public-file is suddenly somewhat public(ally writeable). The problem has been reported to Sun. - Hubert -- Hubert Feyrer <hubert.feyrer () informatik fh-regensburg de>
Current thread:
- using Solaris pax to get files mode 777 Hubert Feyrer (Oct 05)
- <Possible follow-ups>
- Re: using Solaris pax to get files mode 777 Victor Lavrenko (Oct 06)
- Re: using Solaris pax to get files mode 777 Matthew Patton (Oct 11)
- Annoying Solaris/CDE/NIS+ bug dbell (Oct 12)
- Re: Annoying Solaris/CDE/NIS+ bug Jeff Horwitz (Oct 13)
- CERT Advisory CA-98.12 - mountd Aleph One (Oct 12)