Sticky bit are mentioned in every UNIX security book, but I couldn't find anyone that describes the exploitation of Sticky Bit set on a file.
Can you?
Sticky bit are mentioned in every UNIX security book, but I couldn't find anyone that describes the exploitation of Sticky Bit set on a file.
Can you?
man chmod
#Debian Linux
RESTRICTED DELETION FLAG OR STICKY BIT
The restricted deletion flag or sticky bit is a single bit, whose interpretation depends on the file type. For directories, it prevents unprivileged users from removing or renaming a file in the directory unless they own the file or the directory; this is called the restricted deletion flag for the directory, and is commonly found on world-writable directories like /tmp. For regular files on some older systems, the bit saves the program's text image on the swap device so it will load more quickly when run; this is called the sticky bit.
Note that the "on some older systems" part applies to various BSD systems. Linux has never had any special handling for the sticky bit on files. See http://en.wikipedia.org/wiki/Sticky_bit for more detail about that.
From a security standpoint, it's really just about understanding why that permission exists on the /tmp directory, and possibly others. It prevents users from deleting the files of others in a directory that can be written to by multiple users. It's really only an issue if you don't set it and somebody gets delete happy on others' files.
Even though the OP realized that he confused the sticky bit (t
) with the setuid/setgid bits (s
), I want to give a "real-life scenario" for a missing sticky bit on a directory:
If you use an old-style text mail program like mutt
and start compose mail
, the following happens (roughly):
/var/tmp
An attacker may replace the file containing the text of your mail between step 4 and step 6. The reason is that the directory for temporary files has to be world writeable to be usable for all users. This attack works even if the file itself has access mode 0600, because having the right to create, replace or delete a file depends on the write permission bits on the directory.
The sticky bit prevents an attacker from deleting (system call unlink
) or replacing (rename
) a file of another user even if the the attacker has write permission on the directory.
Modifying a file depends on the write access bits (and the ownership) of the file itself.