Logfile symlink vulnerability

Alexander Gottwald alexander.gottwald@s1999.tu-chemnitz.de
Mon Mar 22 15:44:00 GMT 2004

On Sun, 21 Mar 2004, Eran Tromer wrote:

> Hi,
> If /tmp/XWin.log is a symlink, XWin will merrily follow it and write to
> whatever it's pointing to (see LogInit() in os/log.c). This allows
> standard symlink-following attacks.
> Some possible fixes:
> * Place the logfile somewhere in the user's home directory.

The log may get quite big and starts trashing the homedirectory. 

> * Refuse to follow symlinks, or to write to existing files. Most users,
> failing to clean up logs, will not get new logs after the first failure.

What about removing the file before opening it for writing? 

> * Give the logfile a unique filename, a la the "uniq" utility.

Not an option. For support reasons we require a uniqe name on all systems
so we can tell them to send in /tmp/XWin.log.

 http://www.gotti.org           ICQ: 126018723

More information about the Cygwin-xfree mailing list