Add countermeasure against hard link attacks in /tmp.HEAD master

* safepath.c (safepath_check): Reject symbolic links that have a link count greater than 2. To defeat this check, the attacker must not only be able to hard link someone else's symlink into a /tmp-like directory, but unlink the original. (That could happen if the user or root have some available symlink sitting in an unsecured directory.)
author: Kaz Kylheku <kaz@kylheku.com> 2022-07-30 15:29:09 -0700
committer: Kaz Kylheku <kaz@kylheku.com> 2022-07-30 15:29:09 -0700
commit: ffa286c6a8ffe8450aeaa1e2c8cfe1582c99f581 (patch)
tree: 88902b2663323e514b971bd8167af0285c6318cf
parent: aa35108d6f77f56627c0561e4b48361ac298e123 (diff)
download: safepath-master.tar.gz
safepath-master.tar.bz2
safepath-master.zip
1 files changed, 9 insertions, 0 deletions
diff --git a/safepath.c b/safepath.c
index b66db65..a57ed6a 100644
--- a/safepath.c
+++ b/safepath.c
@@ -377,6 +377,15 @@ int safepath_check(const char *name)
         goto free_out;
       }
 
+      /* A symlink with a link count > 1 is suspicious; it looks like a
+       * hard link attack: an attacker hard linking a symlink into a
+       * /tmp-like directory.
+       */
+      if (st.st_nlink > 1) {
+        ret = SAFEPATH_UNSAFE;
+        goto free_out;
+      }
+
       if ((len = readlink(copy, link, sizeof link)) < 0) {
         ret = safepath_err(errno);
         goto free_out;
author	Kaz Kylheku <kaz@kylheku.com>	2022-07-30 15:29:09 -0700
committer	Kaz Kylheku <kaz@kylheku.com>	2022-07-30 15:29:09 -0700
commit	ffa286c6a8ffe8450aeaa1e2c8cfe1582c99f581 (patch)
tree	88902b2663323e514b971bd8167af0285c6318cf
parent	aa35108d6f77f56627c0561e4b48361ac298e123 (diff)
download	safepath-master.tar.gz safepath-master.tar.bz2 safepath-master.zip