Vigil@nce: XFS acl, following symbolic links
December 2009 by Vigil@nce
In recursive mode, the setfacl/getfacl commands of XFS acl follows
symbolic links, even if options —physical/-P/-L are used.
Severity: 1/4
Consequences: data reading, data creation/edition, data deletion
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 29/12/2009
IMPACTED PRODUCTS
– Mandriva Enterprise Server
– Mandriva Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The setfacl/getfacl commands of XFS acl are used to define/obtain
ACLs on a file.
The option -R/—recursive of setfacl indicates to change
permissions recursively.
Options —physical/-P/-L indicate to not follow symbolic links.
However, these options are ignored.
An attacker can therefore use a symbolic link in order to force a
permission change outside the initial directory.
CHARACTERISTICS
Identifiers: BID-37455, CVE-2009-4411, MDVSA-2009:345,
VIGILANCE-VUL-9314
http://vigilance.fr/vulnerability/XFS-acl-following-symbolic-links-9314