| 1 |
On 01/29/2017 05:07 PM, Alan McKinnon wrote: |
| 2 |
> |
| 3 |
> Sure it can be done, just don't chown -R <user> ~user. DO it the VERY |
| 4 |
> long way round, file by file. Say you changed user "awesome" uid 300 to 400: |
| 5 |
> |
| 6 |
> find / -uid 300 -exec chown awesome {} \+ |
| 7 |
> |
| 8 |
|
| 9 |
That will find symlinks created by UID 300, and chown will follow them |
| 10 |
to give "awesome" ownership of the TARGET of the symlink; an easy root |
| 11 |
exploit. If you are about to suggest "find -type f" or the |
| 12 |
"--no-dereference" flag, then beware that chown will also follow |
| 13 |
hardlinks and you're still screwed (albeit limited to one filesystem, |
| 14 |
and on vanilla kernels). |
Archives