Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Symlink giving "Permission denied"... to root

Tags:

linux

symlink

file-permissions

I wrote a simple script to automate creating a symbolic link.

#!/pseudo
today = "/tmp/" + date("Y-m-d")
exec("ln -sf " + today + " /tmp/today")

Simple enough; get today's date and make a symlink. Ideally run after midnight with -f so it just updates it in-place.

This works just fine! ...for my user.

xkeeper /tmp$ ls -ltr
drwxrwxrwx  xkeeper   xkeeper   2014-10-21
lrwxrwxrwx  xkeeper   xkeeper   today -> /tmp/2014-10-21/

xkeeper /tmp$ cd today
xkeeper /tmp/today$ cd ..

Notice that it works fine, all the permissions are world-readable, everything looks good.

But if someone else wants to use this link (we'll say, root, but any other user has this problem), something very strange happens:

root /tmp# cd today
bash: cd: today: Permission denied

I am at a complete loss as to why this is. I've also tried creating the links with ln -s -n -f (not that "--no-dereferencing" is very well-explained), but the same issue appears.

like image 297
Xkeeper Avatar asked Oct 21 '14 21:10

Xkeeper

1 Answers

Since /tmp usually has the sticky bit set, the access to /tmp/today is denied because of protected_symlinks. You can disable this protection by setting

sysctl -w fs.protected_symlinks=0

protected_symlinks:

A long-standing class of security issues is the symlink-based time-of-check-time-of-use race, most commonly seen in world-writable directories like /tmp. The common method of exploitation of this flaw is to cross privilege boundaries when following a given symlink (i.e. a root process follows a symlink belonging to another user). For a likely incomplete list of hundreds of examples across the years, please see: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp

When set to "0", symlink following behavior is unrestricted.

When set to "1" symlinks are permitted to be followed only when outside a sticky world-writable directory, or when the uid of the symlink and follower match, or when the directory owner matches the symlink's owner.

This protection is based on the restrictions in Openwall and grsecurity.

For further details check this.

like image 138
wenzul Avatar answered Oct 19 '22 16:10

wenzul
Sign in to Comment

Related questions

docker COPY with file globbing
Purpose of shm_open() and ftruncate()?
Compile Swift script with static Swift core library
Conditions under which stepping into shared library should work in gdb?
What does '#pragma GCC optimize ("O3")' mean?
HTTP2: different domain but same IP, multiple connection or one connection?
How to mmap the stack for the clone() system call on linux?
How do linux file descriptor limits work?
How do i test the net speed from the command-line on a linux server(no gui)? [closed]
Externally disabling signals for a Linux program
Is it possible to change the size of a named pipe on Linux?
mmap fails when length is larger than 4GB
Delete a snapshot from cassandra
Dumpbin.exe for Linux to view imports
Killing forked child kills parent?
Check if OpenCV is compiled with TBB
Read file without disk caching in Linux
What is the meaning of !#:3?
Is u_int64_t available on 32-bit machine?
Boost.Log linking errors under GNU/Linux

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!