0

Do world-writable systemd .service files created as symbolic links in /etc/systemd/system impose a security threat?

Would it be possible to somehow modify the links to target arbitrary .service files on the system, and make systemd execute those files as root?

The permissions for the /etc/systemd/system directory is as follows:

drwxr-xr-x. 11 root root 4096 Aug 30 12:57 /etc/systemd/system/

and the world-writable links in this directory are:

1050594    0 lrwxrwxrwx   1 root     root            9 Apr  9 11:53 /etc/systemd/system/ctrl-alt-del.target -> /dev/null
1050595    0 lrwxrwxrwx   1 root     root            9 Apr  9 11:54 /etc/systemd/system/sensu-server.service -> /dev/null
1052003    0 lrwxrwxrwx   1 root     root            9 Apr  9 11:54 /etc/systemd/system/sensu-api.service -> /dev/null
1052037    0 lrwxrwxrwx   1 root     root            9 Apr  9 11:55 /etc/systemd/system/dataeng.service -> /dev/null
schroeder
  • 123,438
  • 55
  • 284
  • 319
Shuzheng
  • 1,097
  • 4
  • 22
  • 37

1 Answers1

1

No, because there is no way in Linux to modify a symlink in-place, you can only delete and recreate it, and there is no permission to do that.

Also: the permission of what you can do with a symlink is actually the permission of its target, not what shows in ls.

Gaius
  • 810
  • 6
  • 7
  • So, in order to modify a symlink, the existing link must be deleted and then created again? What do you mean by " the permission on a symlink is actually the permission of its target, not what shows in ls."? The permissions of the link is different from the permissions of `/dev/null`. – Shuzheng Aug 30 '19 at 11:42
  • If the symlink is rwxrwxrwx but you cannot write to the thing it points to, you cannot write to it through the symlink either – Gaius Aug 30 '19 at 12:26