Symlink Exploits in Python
https://stackoverflow.com/questions/4524293
-
13-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
While reading about shell scripts and temporary file handling, I came across Symlink Exploits. http://www.linuxsecurity.com/content/view/115462/151/ is the basic idea. I wondered if Python open() checks the file it is about to open to see if it is a symbolic link and tried to open a symbolic link file in 'w' mode. To my surprise it opened the link and consequently overwrote the file to which the link was pointing to. Now if my python program is doing a lot of file handling and that too in a predictable way, is not possible that an attacker creates a link by the name of the file my program is supposed to create and links it to a critical system file. This would overwrite the system file and crash the system? I used Python 2.4. Do subsequent python versions address this issue?
Or is this an issue at all?
Solution
The problem only happens if you create temporary files (well, in general -- write to files) which have predictable names and are located in a directory which other users can write to. So if your script only write to your home directory you are fine. If you need to create temporary files in a shared-write directory, e.g. /tmp, you should use something like http://docs.python.org/library/tempfile.html
OTHER TIPS
If your program is running with elevated privileges (such as root), then you can prevent this type of attack by not writing to files in a directory where lower privilege users have the ability to create symlinks.
This problem cannot be solved by the language or runtime library, but must be addressed in the environment in which the program runs.
(Note that if your program is not running with elevated privileges, then the user creating a symlink won't let them to anything that they couldn't have just done themselves without your program.)
First of all, the user who runs the script should not have the permission to write critical system files. Secondly, it is not pythons task to address that issue. It is the task of the developer of the script. Python provides tempfile at least since 2.3.
