Where Do You Want to Go Today? Escalating Privileges by Pathname Manipulation

We analyze filename-based privilege escalation attacks, where an attacker creates filesystem links, thereby "tricking" a victim program into opening unintended files. We develop primitives for a POSIX environment, providing assurance that files in "safe directories" (such as /etc/passwd) cannot be opened by looking up a file by an "unsafe pathname" (such as a pathname that resolves through a symbolic link in a world-writable directory). In today's UNIX systems, solutions to this problem are typically built into (some) applications and use application-specific knowledge about (un)safety of certain directories. In contrast, we seek solutions that can be implemented in the filesystem itself (or a library on top of it), thus providing protection to all applications.

Our solution is built around the concept of pathname manipulators, which are roughly the users that can influence the result of a file lookup operation. For each user, we distinguish unsafe pathnames from safe pathnames according to whether or not the pathname has any manipulators other than that user or root. We propose a safe-open procedure that keeps track of the safety of the current pathname as it resolves it, and that takes extra precautions while opening files with unsafe pathnames. We prove that our solution can prevent a common class of filename-based privilege escalation attacks, and describe our implementation of the safe-open procedure as a library function over the POSIX filesystem interface. We tested our implementation on several UNIX variants to evaluate its implications for systems and applications. Our experiments suggest that this solution can be deployed in a portable way without breaking existing systems, and that it is effective against this class of pathname resolution attacks.