符号链接将“权限被拒绝"授予根目录 [英] Symlink giving "Permission denied"... to root

问题描述

我写了一个简单的脚本来自动创建符号链接.

I wrote a simple script to automate creating a symbolic link.

#!/pseudo
today = "/tmp/" + date("Y-m-d")
exec("ln -sf " + today + " /tmp/today")

足够简单；获取今天的日期并进行符号链接.理想情况是在午夜之后使用-f运行，因此它可以就地更新它.

Simple enough; get today's date and make a symlink. Ideally run after midnight with -f so it just updates it in-place.

这很好用！ ...对于我的用户.

This works just fine! ...for my user.

xkeeper /tmp$ ls -ltr
drwxrwxrwx  xkeeper   xkeeper   2014-10-21
lrwxrwxrwx  xkeeper   xkeeper   today -> /tmp/2014-10-21/

xkeeper /tmp$ cd today
xkeeper /tmp/today$ cd ..

请注意，它运行良好，所有权限都是世界可读的，一切看起来都很好.

Notice that it works fine, all the permissions are world-readable, everything looks good.

但是，如果其他人想要使用此链接(我们会说是root，但其他任何用户都有此问题)，则会发生一些非常奇怪的事情:

But if someone else wants to use this link (we'll say, root, but any other user has this problem), something very strange happens:

root /tmp# cd today
bash: cd: today: Permission denied

我完全不知道这是为什么.我也尝试过使用ln -s -n -f创建链接(不是很好地解释了"--no-dereferencing")，但是出现了同样的问题.

I am at a complete loss as to why this is. I've also tried creating the links with ln -s -n -f (not that "--no-dereferencing" is very well-explained), but the same issue appears.

推荐答案

由于/tmp通常设置了粘性位，因此由于protected_symlinks而拒绝访问/tmp/today. 您可以通过设置

Since /tmp usually has the sticky bit set, the access to /tmp/today is denied because of protected_symlinks. You can disable this protection by setting

sysctl -w fs.protected_symlinks=0

protected_symlinks :

一类长期存在的安全问题是基于符号链接的 使用时间竞赛，最常见于世界可写竞赛 /tmp之类的目录.利用此缺陷的常用方法 遵循给定的符号链接时(即a 根进程遵循属于另一个用户的符号链接.对于一个可能 多年来没有数百种示例的完整列表，请参阅: http://cve.mitre.org/cgi-bin/cvekey. cgi?keyword =/tmp

A long-standing class of security issues is the symlink-based time-of-check-time-of-use race, most commonly seen in world-writable directories like /tmp. The common method of exploitation of this flaw is to cross privilege boundaries when following a given symlink (i.e. a root process follows a symlink belonging to another user). For a likely incomplete list of hundreds of examples across the years, please see: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp

设置为"0"时，符号链接跟随行为不受限制.

When set to "0", symlink following behavior is unrestricted.

设置为"1"时，仅在外部时才允许使用符号链接 一个可粘贴的世界可写目录，或者当符号链接的uid和 跟随者匹配，或目录所有者与符号链接的所有者匹配时.

When set to "1" symlinks are permitted to be followed only when outside a sticky world-writable directory, or when the uid of the symlink and follower match, or when the directory owner matches the symlink's owner.

此保护基于Openwall和grsecurity中的限制.

This protection is based on the restrictions in Openwall and grsecurity.

有关更多详细信息，请检查此.

For further details check this.

这篇关于符号链接将“权限被拒绝"授予根目录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！