===========================================================================
	      [8lgm]-Advisory-19.UNIX.SunOS-kernel.1-Jun-1994

SYSTEM CALL:

	link(2)

KNOWN VULNERABLE OS:

	SunOS 4.1.*

DESCRIPTION:

	The synopsis of the link(2) system call is:

	int link(path1, path2)
	char *path1, *path2;

	Under SunOS 4.1.*, link(2) will incorrectly follow symbolic links
	for path2.

IMPACT:

	Programs using the link(2) system call where path2 is located in a
	publically writable directory, can potentially be used to gain root
	access (e.g. the advisory:-

		[8lgm]-Advisory-15.UNIX.mail3.28-Nov-1994

	is based on binmail using this vulnerability in link(2).)

REPEAT BY:

	An example exploit for the [8lgm]-Advisory-15.UNIX.mail3.28-Nov-1994
	advisory is available from the 8lgm fileserver, as of now.  To 
	obtain this program, send mail to 8lgm-fileserver@8lgm.org, with a
	line in the body of the message containing:-

	SEND suln.c

DISCUSSION:

	A secure link(2) system call can allow path1 to be a symbolic link.
	However, allowing path2 to be a symbolic link can potentially cause
	security problems.

	Consider a program, creating hard links in a publically	writable
	directory, as a privileged uid. The program has no way of creating
	a hard link in a secure manner (ie attempting to write code to
	provide a workaround would be non-atomic, and therefore open to race
	conditions.  To use hard links in the situation described would
	require using the chroot(2) system call, producing a non-elegant
	fix).

WORKAROUND:

	The link(2) system call is used almost exclusively for file locking.
	Using the open(2) system call, it is possible to write a secure,
	file locking mechanism.

	Sample locking code using open(2), and not link(2), can be seen in
	CERT Advisory

		CA-95:02.binmail.vulnerabilities

	The code contained in this advisory is a replacement for binmail,
	and is recommended for use.

FIX:

	Contact vendor for fix.

-----------------------------------------------------------------------

FEEDBACK AND CONTACT INFORMATION:

	majordomo@8lgm.org	(Mailing list requests - try 'help'
				 for details)

	8lgm@8lgm.org		(Everything else)

8LGM FILESERVER:

	All [8LGM] advisories may be obtained via the [8LGM] fileserver.
	For details, 'echo help | mail 8lgm-fileserver@8lgm.org'

8LGM WWW SERVER:

	[8LGM]'s web server can be reached at http://www.8lgm.org.
	This contains details of all 8LGM advisories and other useful
	information.
===========================================================================