SUMMARY: Strange softlink permissions problem in Tru64 5.1B

From: gmb-mcg-it-unix-admin (gmb-mcg-it-unix-admin@cardinal.com)
Date: Wed Apr 06 2005 - 18:51:52 EDT

• Next message: root: "Regions Bank Accounts Department - Urgent Security Notification"
• Previous message: Iain Barker: "Tru64 pipe buffer size"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello,

Thanks to Spider Boardman, Ann Majeski and Dr. Thomas Blinn for the very quick responses. The root cause was the setting of system parameter 'restricted_symlink_follow'.

We had recently applied security hardening to this machine. One of the hardening steps changed the value of 'restricted_symlink_follow' from the default value of 0 to 1 as shown:

# sysconfig -r sec restricted_symlink_follow=1
restricted_symlink_follow: reconfigured

The man page for sys_attrs_sec explains the behavior of setting restricted_symlink_follow=1. Setting the value to 1 will prevent various 'symlink' attacks from happening should an attacker gain access to the system.

Sincerely,

Marc Brandon
Systems Engineer
Cardinal Health
Waukegan, IL

> -----Original Message-----
> From: gmb-mcg-it-unix-admin
> Sent: Tuesday, April 05, 2005 12:04 PM
> To: 'tru64-unix-managers@ornl.gov'
> Subject: Strange softlink permissions problem in Tru64 5.1B
>
> Hello,
>
> I need some help in trying to determine whether a softlink permissions problem is either a bug or part of normal UNIX security. This is on a Tru64 5.1B machine.
>
> In summary, various userids including root received 'permission denied' when cd'ing into a softlink defined in /tmp as shown-
>
> lrwxrwxrwx 1 zuserid1 system 12 Apr 1 11:21 zzzzdir -> /tmp/zzzz <=== Softlink in /tmp
> drwxrwxrwx 2 zuserid2 system 8192 Apr 1 11:21 zzzz <== Actual directory in /tmp
>
> # id
> uid=0(root) gid=1(daemon) groups=0(system)
> # cd zzzzdir
> ksh: zzzzdir: permission denied
> # cd zzzz
> #
>
> The zzzz directory is owned by user zuserid2 and has universal read/write/execute permissions, so any userid can cd directly into /tmp/zzzz with no problem. The softlink is owned by zuserid1 which normally should not be an issue. The problem was circumvented by deleting the zzzzdir softlink and recreating it under root-
>
> lrwxrwxrwx 1 root system 12 Apr 4 11:28 zzzzdir -> /tmp/zzzz
>
> Any idea why the softlink must be owned by root to circumvent the problem?
>
> Sincerely,
>
> Marc Brandon
> Systems Engineer
> Cardinal Health
> Waukegan, IL
>
>

• Next message: root: "Regions Bank Accounts Department - Urgent Security Notification"
• Previous message: Iain Barker: "Tru64 pipe buffer size"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:50:17 EDT