soft link security

Quick to answer questions about finding your way around Linux Mint as a new user.
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions use the other forums in the support section.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Locked
JohnFrumm

soft link security

Post by JohnFrumm »

Today I created some links to some files:

ln -s /dummylocation/Myfile linkToMyfile

It works great, but I noticed that it is impossible to chmod the link by design.

Isn't this a major security hole? Wouldn't it be possible for someone to delete the link and redirect it to some nefarious executable? Obviously they would have to have access to the link, but the default mod is 777 (although the folder is 700).

What am I missing?
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Top
Cosmo.
Level 24
Level 24
Posts: 22968
Joined: Sat Dec 06, 2014 7:34 am

Re: soft link security

Post by Cosmo. »

For creating or deleting a file, only the permissions of the containing folder is important. So with octal 700 only the owner has (full) permissions, all others have none.
Top
User avatar
slipstick
Level 6
Level 6
Posts: 1071
Joined: Sun Oct 21, 2012 9:56 pm
Location: Somewhere on the /LL0 scale

Re: soft link security

Post by slipstick »

From the book "The Linux Command Line" by William Shotts - free download at:
http://linuxcommand.org/tlcl.php

Code: Select all

Notice that with symbolic links, the remaining file
attributes are always “rwxrwxrwx” and are dummy values. The real
file attributes are those of the file the symbolic link points to.
In theory, theory and practice are the same. In practice, they ain't.
Top
JohnFrumm

Re: soft link security

Post by JohnFrumm »

OK, thank you both, although this still seems like a security risk to me.
Top
User avatar
Termy
Level 12
Level 12
Posts: 4248
Joined: Mon Sep 04, 2017 8:49 pm
Location: UK
Contact:
Contact Termy

Re: soft link security

Post by Termy »

The real file attributes are those of the file the symbolic link points to.
As explained from the other poster, the permissions of the link aren't the real permissions; they're instead that of the file to which the link points. No need to worry.
I'm also Terminalforlife on GitHub.
Top
JohnFrumm

Re: soft link security

Post by JohnFrumm »

Termy wrote: Mon May 07, 2018 7:05 pm
The real file attributes are those of the file the symbolic link points to.
As explained from the other poster, the permissions of the link aren't the real permissions; they're instead that of the file to which the link points. No need to worry.
Yes, and what about this scenario:

There is a file that several people edit, so it has permissions 664. There is a link to this file in a (shared) directory.

Alice is a little lax with computer security, and Bob Nefarious gets remote access to the computer containing the link through Alice's computer and redirects it to pornfreemoneygrowyourjunkcallmeXXXnigerianMoneyscammers.ru. The next time anyone clicks on the link...

It seems it would be safer if the link itself should have permissions 600 so nobody can redirect it but the primary owner.

You could say "well, if Bob gets access you have other problems", but that just avoids the question. Most people are HORRIBLE w.r.t. computer security (like Alice), viz. have very weak passwords, click wherever, etc.
Top
JohnFrumm

Re: soft link security

Post by JohnFrumm »

JohnFrumm wrote: Tue May 08, 2018 10:23 am
Termy wrote: Mon May 07, 2018 7:05 pm
The real file attributes are those of the file the symbolic link points to.
As explained from the other poster, the permissions of the link aren't the real permissions; they're instead that of the file to which the link points. No need to worry.
Yes, and what about this scenario:

There is a file that several people edit, so it has permissions 664. There is a link to this file in a (shared) directory.

Alice is a little lax with computer security, and Bob Nefarious gets remote access to the computer containing the link through Alice's computer and redirects it to pornfreemoneygrowyourjunkcallmeXXXnigerianMoneyscammers.ru. The next time anyone clicks on the link...

It seems it would be safer if the link itself should have permissions 600 so nobody can redirect it but the primary owner.

You could say "well, if Bob gets access you have other problems", but that just avoids the question. Most people are HORRIBLE w.r.t. computer security (like Alice), viz. have very weak passwords, click wherever, etc.
After thinking it over for a few days I get it - if the folder containing the link has permissions 740, then other users in the group can use the link but not change it. Oops.
Top
Locked

Return to “Beginner Questions”