You reported a bug in 'ln'. I will include the entire report here for
clarity. But initially I do not understand where you think the bug
exists.
> /etc/shadow file permission is 400(-r--------).
> $ id
> uid=501(lnbug) gid=501(lnbug)
> $ pwd
> /home/lnbug
> $ ln -b /etc/shadow .
> $ ls -ld ./shadow
> -r-------- xxx root root 100 .... shadow
> $ ln -f /etc/shadow ./shadow2 // -f option is only using by superuser ^^;
> $ ls -lad ./shadow*
> -r-------- xxx root root 100 .... shadow
> -r-------- xxx root root 100 .... shadow2
All looks normal so far.
> cool!... copied original-copy file...
> what's up ?
No you did not copy the original file. You only linked it into your
new directory. You have write permission into the directory and so
you can link other files that exist on the same filesystem into that
directory. (You would not be able to link across filesystems.)
The links you are using are known as 'hard links' to differentiate
them from symbolic links which are known as 'soft links'. Files exist
as a pool of disk blocks. Directories contain pointers or links to
the start of a file. There can be many pointers/links all pointing to
the start of the same file. That is to say that there can be many
directories with entries in the directory which point to the same
file. To begin with the file will only exist in one directory and the
link count to the file will be one. But as you link the file into
other directories the link count will increase. The link count is
displayed with the 'ls -l' command as the first number after the file
modes. You have it 'xxx' in your listing so I assume you covered it
for some reason. You should have noticed the link count increase as
you linked the file into different directories.
I think that you are thinking that files exist in directories. But
that is not true. Files do not exist in directories. Files exist in
the filesystem which maintains all files within as a database. Names
in directories point to those files. Your example was not copying the
file. Your example was copying the name in the directory from one
directory to another. A subtle but important difference.
Linking a file into a different directory does not give any additional
access to the file. The file permission bits as listed are enforced
by the operating system. The operating system handles accesses to the
file and in your example will prevent non-root users from reading the
shadow file therefore there is no vulnerablity. I see no bug here.
Hope this explaination helped.
Bob
> From: Ho-jung Kim, security group DOSFIN of Honam Univ. from Kwangju, KOREA.
> [EMAIL PROTECTED]
> TO: [EMAIL PROTECTED]
> Subject: 'ln' have vulnerablity.
> System: All system of RedHat Linux box. (and other)
> I tested on system of RedHat Linux box 6.0 and 6.1.
> I think about below version will be. (?)
> Detail: I found 'ln' bug at June of last year. (june, 1999)
> This bug is,,, well maybe serious or simple... or nothing...
> But this bug have a little serious problem...
> The problem of 'ln' bug where '-b' and '-f' option.
> These option will help when anyone want to copy any files.
> Look...
>
> /etc/shadow file permission is 400(-r--------).
>
> $ id
> uid=501(lnbug) gid=501(lnbug)
>
> $ pwd
> /home/lnbug
>
> $ ln -b /etc/shadow .
> $
>
> $ ls -ld ./shadow
> -r-------- xxx root root 100 .... shadow
>
> $ ln -f /etc/shadow ./shadow2 // -f option is only using by superuser ^^;
> $
>
> $ ls -lad ./shadow*
> -r-------- xxx root root 100 .... shadow
> -r-------- xxx root root 100 .... shadow2
>
> cool!... copied original-copy file...
>
> what's up ?
>
> Ho-jung Kim
> from DOSFIN
>
> P.s: well,,, I hope this bug 1st found by me...
>
> ----------------------------------------------------------------
> ÇÑ ¹ø °¡ÀÔÇÏ¸é ¸ÞÀÏ + ȨÆäÀÌÁö + µ¿È£È¸¸¦ Æò»ý ¹«·á·Î !
> Lycos Korea Inc.
> http://www.lycos.co.kr
> ----------------------------------------------------------------
