diff options
author | Kaz Kylheku <kaz@kylheku.com> | 2022-07-29 08:11:15 -0700 |
---|---|---|
committer | Kaz Kylheku <kaz@kylheku.com> | 2022-07-29 08:11:15 -0700 |
commit | 9780ab12e6fa9f2f6bd3bc4f9f476c5df382c445 (patch) | |
tree | 65200a9482395087e0aff8847a18c5c1765f68e4 /HACKING | |
parent | bad5feff45d5336c1d6de9f6aee69a2abab88a9f (diff) | |
download | txr-9780ab12e6fa9f2f6bd3bc4f9f476c5df382c445.tar.gz txr-9780ab12e6fa9f2f6bd3bc4f9f476c5df382c445.tar.bz2 txr-9780ab12e6fa9f2f6bd3bc4f9f476c5df382c445.zip |
path-components-safe: repel /proc symlink attacks
In a Linux system, it's possible for an unprivileged
user to create a root symlink pointing to any directory,
simply by changing to that directory and running a setuid
executable like "su". That executable will get a process
whose /proc/<pid> directory is root owned, and contains
a symlink named cwd pointing to the current directory.
Other symlinks under /proc look exploitable in this way.
* stdlib/path-test.tl (safe-abs-path): New function.
Here is where we are going to check for unsafe paths.
We use some pattern matching to recognize various unsafe
symlinks under /proc.
(path-components-safe): Simplify code around recognition
of absolute paths. When an absolute path is read from
a symlink, remove the first empty component. Pass every
absolute path through safe-abs-path to check for known
unsafe paths.
* tests/018/path-safe.tl: New tests.
Diffstat (limited to 'HACKING')
0 files changed, 0 insertions, 0 deletions