From ffa286c6a8ffe8450aeaa1e2c8cfe1582c99f581 Mon Sep 17 00:00:00 2001
From: Kaz Kylheku <kaz@kylheku.com>
Date: Sat, 30 Jul 2022 15:29:09 -0700
Subject: Add countermeasure against hard link attacks in /tmp.

* safepath.c (safepath_check): Reject symbolic links
that have a link count greater than 2. To defeat
this check, the attacker must not only be able to
hard link someone else's symlink into a /tmp-like
directory, but unlink the original. (That could
happen if the user or root have some available symlink
sitting in an unsecured directory.)
---
 safepath.c | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'safepath.c')

diff --git a/safepath.c b/safepath.c
index b66db65..a57ed6a 100644
--- a/safepath.c
+++ b/safepath.c
@@ -377,6 +377,15 @@ int safepath_check(const char *name)
         goto free_out;
       }
 
+      /* A symlink with a link count > 1 is suspicious; it looks like a
+       * hard link attack: an attacker hard linking a symlink into a
+       * /tmp-like directory.
+       */
+      if (st.st_nlink > 1) {
+        ret = SAFEPATH_UNSAFE;
+        goto free_out;
+      }
+
       if ((len = readlink(copy, link, sizeof link)) < 0) {
         ret = safepath_err(errno);
         goto free_out;
-- 
cgit v1.2.3