Why is it bad to have root writing files to a directory not owned by root?

Posted on

Why is it bad to have root writing files to a directory not owned by root? – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about linux, security, permissions, , .

This came up in a comment to another question and I’d love it if someone could explain the reasons for this to me.

I suggested having Apache log the errors for a given VHost to a user’s home directory. This was shot down because it was insecure. Why?

I asked for clarification in a reply comment but all I got was that it’s insecure to have root writing in a folder not owned by root. Again, could someone explain?

Thanks,

Bart.

Solution :

Because an evil user can maliciously try to point the file root is writing to a different location.
This is not so simple, but really possible.

As an example, if a user would find the way to make a symlink from the supposed Apache log to, say, /etc/shadow you’ll suddenly have an unusable system. Apache (root) would overwrite your users’ credentials making the system faulty.

ln -s /etc/shadow /home/eviluser/access.log

If the access.log file is not writable by the user it can be difficult to hijack it, but avoiding the possibility is better!

A possibility could be to use logrotate to do the job, creating the link to a file not already existing, but that logrotate will overwrite as soon as the logs grows:

ln -s /etc/shadow /home/eviluser/access.log.1

Note:

The symlink method is only one of the possible attacks, given as a proof of concept.

Security has to be made with a White List mind, not blacklisting what we know to be an issue.

The general principle of not having processes write into a directory they don’t own or trust is a good one. But in this particular case, it’s reasonable to trust that the Apache code opens the log with O_NOFOLLOW etc: logging into a user’s home directory is a common setup.

Leave a Reply

Your email address will not be published. Required fields are marked *