Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!thunder.mcrcim.mcgill.edu!mouse
From: mouse@thunder.mcrcim.mcgill.edu (der Mouse)
Newsgroups: comp.unix.questions
Subject: Re: Symbolic link
Message-ID: <1991May24.103151.2620@thunder.mcrcim.mcgill.edu>
Date: 24 May 91 10:31:51 GMT
References: <9105200532.AA27396@csufres.CSUFresno.EDU>
Organization: McGill Research Centre for Intelligent Machines
Lines: 37

In article <9105200532.AA27396@csufres.CSUFresno.EDU>, quang@CSUFRES.CSUFRESNO.EDU (Quang Ngo) writes:

> I have a simple question:

> If someone were to make a symbolic link to my account (if I
> accidentally left it opened), then how do I know?  How would I remove
> it?

The question doesn't really make much sense.  By "to [your] account",
you presumably mean to one of your directories.  I'm not sure what you
mean by leaving it "open[ed]", but I assume this means with some of the
world access bits turned on.

The only permissions involved when creating a symbolic link are those
on the directory in which the link resides.  The place the link points
to does not need to have any permission bits turned on; in fact, it
need not even exist.  So anyone can create a symbolic link pointing to
any of your directories at any time, regardless of how you have your
permission bits set.

So, why isn't this a huge security hole?  Because the permissions are
checked when the link is used, of course.

How would you know?  You wouldn't.  You'd have to search the entire
filesystem, and to do a thorough job of it you'd have to be super-user.
But it doesn't really matter because if you turn off the permission
bits your stuff is inaccessible even if the link does exist.

How would you remove it?  Again, you generally wouldn't.  You'd need to
be able to remove stuff from the directory the link is in, which you
presumably wouldn't have.  But again, it really doesn't much matter.

					der Mouse

			old: mcgill-vision!mouse
			new: mouse@larry.mcrcim.mcgill.edu