hardlinks to setuid binaries

To: tech-security%netbsd.org@localhost
Subject: hardlinks to setuid binaries
From: Jan Schaumann <jschauma%netmeister.org@localhost>
Date: Fri, 25 Mar 2022 09:37:38 -0400

Hello,

I just came across this blog post here:
https://rachelbythebay.com/w/2022/03/15/link/

In a nutshell, the author describes how being able to
create a hardlink to a setuid binary can lead to
undesirable results:

Suppose you have a setuid /usr/pkg/bin/sudo from sudo
version 1.8.11, which is vulnerable to CVE-2014-9680.
You create a hardlink in your home directory, so you
get setuid, owned by root, mode 511 '~/sudo'.

Now the sysadmin updates the sudo package, fixing the
vulnerability, but your ~/.sudo remains vulnerable.

On Linux, there appears to be a proc(5) restriction
via /proc/sys/fs/protected_hardlinks making this
impossible, but on NetBSD at least up to 9.2 this is
possible.

Any thoughts on this?  Should there be a sysctl to
disable this?  This is not a new discovery; has this
been discussed before?

-Jan

Follow-Ups:
- Re: hardlinks to setuid binaries
  - From: Joerg Sonnenberger
- Re: hardlinks to setuid binaries
  - From: Taylor R Campbell
- Re: hardlinks to setuid binaries
  - From: Robert Elz
- Re: hardlinks to setuid binaries
  - From: Michael Richardson

Prev by Date: Re: NetBSD's security features and hardening options
Next by Date: Re: hardlinks to setuid binaries
Previous by Thread: NetBSD's security features and hardening options
Next by Thread: Re: hardlinks to setuid binaries
Indexes:

Home | Main Index | Thread Index | Old Index