1 |
On 01/29/2017 05:07 PM, Alan McKinnon wrote: |
2 |
> |
3 |
> Sure it can be done, just don't chown -R <user> ~user. DO it the VERY |
4 |
> long way round, file by file. Say you changed user "awesome" uid 300 to 400: |
5 |
> |
6 |
> find / -uid 300 -exec chown awesome {} \+ |
7 |
> |
8 |
|
9 |
That will find symlinks created by UID 300, and chown will follow them |
10 |
to give "awesome" ownership of the TARGET of the symlink; an easy root |
11 |
exploit. If you are about to suggest "find -type f" or the |
12 |
"--no-dereference" flag, then beware that chown will also follow |
13 |
hardlinks and you're still screwed (albeit limited to one filesystem, |
14 |
and on vanilla kernels). |