Bug 24007 - absolute symbolic link in RH install tree
absolute symbolic link in RH install tree
Product: Red Hat Linux
Classification: Retired
Component: anaconda (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Matt Wilson
Brock Organ
: Security
Depends On:
  Show dependency treegraph
Reported: 2001-01-14 17:27 EST by sdh4
Modified: 2007-04-18 12:30 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-02-19 19:00:55 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description sdh4 2001-01-14 17:27:18 EST
The files RedHat/instimage/usr/X11R6/lib/X11/xkb/compiled
and RedHat/instimage/var/lib/xkb in the Red Hat Linux 7.0 install
tree are both symbolic links to /tmp

This is a security risk if the install tree is placed on a web server
(e.g. for HTTP install). If the webserver has FollowSymLinks enabled,
the entire /tmp directory of the webserver will be exposed to the
world (and worse, to search engines). Should a symbolic link exist
within /tmp to the root of the filesystem, the entire server directory
structure will be exposed.

I believe that network installs will still work if these symbolic links
are removed.
Comment 1 Michael Fulbright 2001-01-15 19:33:05 EST
Assigning to a developer.
Comment 2 Matt Wilson 2001-01-16 12:48:50 EST
this is not a security risk.  the symlinks to point to /tmp are actually
pointing to /tmp on the initial ramdisk during installation.
Comment 3 sdh4 2001-01-17 15:07:31 EST
The symlinks do point to /tmp during the installation... That is not the bug.
The problem is that when the tree is posted to a web server, the symlinks
point to the /tmp directory of that server. This violates the security of
the server unless other measures are taken (e.g. FollowSymLinks is disabled)

One solution would be to change the instimage to an actual ISO image, then
mount with loopback during installation. Another would be to change the
programs on the instimage so they don't require access to /tmp or have
/tmp hardcoded in or read /tmp from a config file.
Comment 4 Matt Wilson 2001-01-17 17:30:41 EST
The next version of Red Hat Linux will have no symlinks in the install trees
that one would put on a web or ftp server.

Note You need to log in before you can comment on or make changes to this bug.