Language Selection

English French German Italian Portuguese Spanish

Broken Links in Linux File Systems can be a Security Risk

Filed under
Security

BROKEN LINKS in Linux file systems are not just annoying — they can also be a security risk. In a previous post, I discussed the potential dangers of unowned files and in this post I will talk about those annoying, resource consuming broken links usually considered simple file system “lint”.

I recently spoke to a Security Blanket™ customer and they asked me, "Why does Security Blanket report on these broken links?" I responded with a typical, technical explanation of...

"It [Security Blanket™] was trying to determine the file's existing access controls by using stat(2) not lstat(2). This call was unsuccessful because the target file was non-existent therefore, we want you to be aware of this 'lint'."

Although I could not see their face, I am sure their eyes were rolling at my somewhat cryptic response. Later that day, I contemplated the existence of broken links and realized they are a potential security risk — in the form of a Trojan Horse.

Common Uses of Links




More in Tux Machines

systemd and DebConf16

  • systemd backport of v230 available for Debian/jessie
    At DebConf 16 I was working on a systemd backport for Debian/jessie. Results are officially available via the Debian archive now. In Debian jessie we have systemd v215 (which originally dates back to 2014-07-03 upstream-wise, plus changes + fixes from pkg-systemd folks of course). Now via Debian backports you have the option to update systemd to a very recent version: v230. If you have jessie-backports enabled it’s just an `apt install systemd -t jessie-backports` away. For the upstream changes between v215 and v230 see upstream’s NEWS file for list of changes. (Actually the systemd backport is available since 2016-07-19 for amd64, arm64 + armhf, though for mips, mipsel, powerpc, ppc64el + s390x we had to fight against GCC ICEs when compiling on/for Debian/jessie and for i386 architecture the systemd test-suite identified broken O_TMPFILE permission handling.)
  • DebConf16 low resolution videos
    If you go to the Debian video archive, you will notice the appearance of an "lq" directory in the debconf16 subdirectory of the archive. This directory contains low-resolution re-encodings of the same videos that are available in the toplevel.

Linux Kernel

Red Hat News

Android Leftovers