Strengthening Permissions on Hard Links - 10 Mar 2008
March 9, 2008
How important is the System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links) security option? Are there any drawbacks to enabling this setting?
Microsoft documentation says that this setting "strengthens" the ACL of share objects, including DOS device names (e.g., lpt1, com1) and objects called mutexes and semaphores that multithreaded applications use for synchronization. This setting also strengthens ACLs on hard links in NTFS. The only proven vulnerability I know of that this setting protects against involves hard links. Hard links are similar to shortcuts but integrate much more deeply into the file system. Shortcuts are .lnk files; hard links are actual directory entries in the file system. Hard links allow you to, in essence, put the same file into many different folders at once.
At any rate, there's a published exploit method that tells how to destroy a data file by creating a hard link that looks like a temporary file but points to the data file. The exploit works only if a program running on the system has a high level of authority and creates files with predictable names such as log0001, log002, and so on. For example, mod_gzip, a popular module that performs Web page compression for Apache HTTP Server, creates log files according to a predictable naming convention. An attacker anticipates the name of a temporary file the program will use in the near future and creates a hard link that looks like a temporary filename but actually points to the file that the attacker wants to destroy. When the program reaches the bogus temporary filename, it unknowingly overwrites the file targeted by the attacker. Enabling System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links) prevents an attacker from exploiting mod_gzip or other programs that create files with predictable names. I run my systems with this setting enabled and haven't linked any problems to it. Therefore, I recommend enabling this setting as a standard policy.
—Randy Franklin Smith
About the Author
You May Also Like