Today I created some links to some files:
ln -s /dummylocation/Myfile linkToMyfile
It works great, but I noticed that it is impossible to chmod the link by design.
Isn't this a major security hole? Wouldn't it be possible for someone to delete the link and redirect it to some nefarious executable? Obviously they would have to have access to the link, but the default mod is 777 (although the folder is 700).
What am I missing?
soft link security
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions use the other forums in the support section.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions use the other forums in the support section.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
soft link security
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Re: soft link security
For creating or deleting a file, only the permissions of the containing folder is important. So with octal 700 only the owner has (full) permissions, all others have none.
- slipstick
- Level 6
- Posts: 1071
- Joined: Sun Oct 21, 2012 9:56 pm
- Location: Somewhere on the /LL0 scale
Re: soft link security
From the book "The Linux Command Line" by William Shotts - free download at:
http://linuxcommand.org/tlcl.php
http://linuxcommand.org/tlcl.php
Code: Select all
Notice that with symbolic links, the remaining file
attributes are always “rwxrwxrwx” and are dummy values. The real
file attributes are those of the file the symbolic link points to.
In theory, theory and practice are the same. In practice, they ain't.
Re: soft link security
OK, thank you both, although this still seems like a security risk to me.
Re: soft link security
As explained from the other poster, the permissions of the link aren't the real permissions; they're instead that of the file to which the link points. No need to worry.The real file attributes are those of the file the symbolic link points to.
I'm also Terminalforlife on GitHub.
Re: soft link security
Yes, and what about this scenario:
There is a file that several people edit, so it has permissions 664. There is a link to this file in a (shared) directory.
Alice is a little lax with computer security, and Bob Nefarious gets remote access to the computer containing the link through Alice's computer and redirects it to pornfreemoneygrowyourjunkcallmeXXXnigerianMoneyscammers.ru. The next time anyone clicks on the link...
It seems it would be safer if the link itself should have permissions 600 so nobody can redirect it but the primary owner.
You could say "well, if Bob gets access you have other problems", but that just avoids the question. Most people are HORRIBLE w.r.t. computer security (like Alice), viz. have very weak passwords, click wherever, etc.
Re: soft link security
After thinking it over for a few days I get it - if the folder containing the link has permissions 740, then other users in the group can use the link but not change it. Oops.JohnFrumm wrote: ⤴Tue May 08, 2018 10:23 amYes, and what about this scenario:
There is a file that several people edit, so it has permissions 664. There is a link to this file in a (shared) directory.
Alice is a little lax with computer security, and Bob Nefarious gets remote access to the computer containing the link through Alice's computer and redirects it to pornfreemoneygrowyourjunkcallmeXXXnigerianMoneyscammers.ru. The next time anyone clicks on the link...
It seems it would be safer if the link itself should have permissions 600 so nobody can redirect it but the primary owner.
You could say "well, if Bob gets access you have other problems", but that just avoids the question. Most people are HORRIBLE w.r.t. computer security (like Alice), viz. have very weak passwords, click wherever, etc.