0

I'm peparing for OSCP and I found an interesting situation (Alpine Linux).

There is a daemon super_service executed by root that is reading configuration file from /var/super_service/configs/ which is a symbolic link to location that my user john has no write permissions. 

$ id
uid=1000(john) gid=1000(john) groups=1000(john)

$ ls -la /var/super_service
drwxr-xr-x    2 root     root          4096 May  9  2019 .
drwxr-xr-x    3 root     root          4096 May  9  2019 ..
lrwxrwxrwx    1 root     root            13 May  9  2019 configs -> /etc/super_service/configs

$ ls -la /etc/super_service/configs
drwxr-xr-x    1 root     root          4096 Jan 29 12:10 .
drwxr-xr-x    1 root     root          4096 Jan 29 12:10 ..
-rw-------    1 root     root           283 Jan 23  2019 root.cfg

Potential flaw is that /var/super_service/configs/ symbolic link permissions are rwx for everyone. If I manage to "redirect" this symbolic link to location controlled by me, I'd be able to control the config file read by super_service. Unfortunately, due to /var/super_service permissions (r-x) I'm not able to remove or replace this symbolic link.

I wonder if this situation is exploitable in any way?

My understanding is that if /var/super_service/configs would be regular file, not symbolic link, with exact permissions I could overwrite this file. But is there an equivalent of overwrite that is applicable for symbolic links?

elklepo
  • 103
  • 3

1 Answers1

4

No, that's not exploitable. Write permission on links is worthless in practice. To re-target a link, you need write permission on the parent directory. To modify the file or directory that the link is targeting, you need write permission on the target. Write permission on just the link lets you do neither of these things.

Joseph Sible-Reinstate Monica
  • 7,110
  • 3
  • 21
  • 35