Is the builtin open() subject to the symlink attacks mentioned in the release 3.3 release notes?
I think so in that if you’re running as an admin user and someone knows the path you’ll do something, they can put a symlink there and you’ll follow it.
More info from SO: Symlink Exploits in Python - Stack Overflow
1 Like
open() follows symlinks created by other users. Here is a example where a regular user creates a symlink to a file in /root/, and the root user writes to it:
$ whoami
dbohdan
$ ln -s /root/test.txt test.txt
$ sudo whoami
root
$ sudo python3 -c 'f = open("test.txt", "w"); print("Hello.", file=f)'
$ cat /root/test.txt
cat: /root/test.txt: Permission denied
$ sudo cat /root/test.txt
Hello.
On Linux, this “trick” doesn’t work in a world-writable directory that has the sticky bit set when /proc/sys/fs/protected_symlinks is enabled:
When set to “1” symlinks are permitted to be followed only when outside a sticky world-writable directory, or when the uid of the symlink and follower match, or when the directory owner matches the symlink’s owner.
The most prominent example of a directory like this on modern Linux systems is /tmp/:
$ cd /tmp/
$ ln -s /root/test.txt test.txt
> sudo python3 -c 'f = open("test.txt", "w"); print("Hello.", file=f)'
Traceback (most recent call last):
File "<string>", line 1, in <module>
PermissionError: [Errno 13] Permission denied: 'test.txt'
Note that the sticky bit does not apply to subdirectories. Setting the sticky bit also doesn’t have the effect of protected_symlinks on other operating systems, like FreeBSD.
1 Like