Vigil@nce: XFS acl, following symbolic links
December 2009 by Vigil@nce
In recursive mode, the setfacl/getfacl commands of XFS acl follows symbolic links, even if options —physical/-P/-L are used.
Consequences: data reading, data creation/edition, data deletion
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 29/12/2009
Mandriva Enterprise Server
Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The setfacl/getfacl commands of XFS acl are used to define/obtain ACLs on a file.
The option -R/—recursive of setfacl indicates to change permissions recursively.
Options —physical/-P/-L indicate to not follow symbolic links. However, these options are ignored.
An attacker can therefore use a symbolic link in order to force a permission change outside the initial directory.
Identifiers: BID-37455, CVE-2009-4411, MDVSA-2009:345, VIGILANCE-VUL-9314