← Writing
Research

Symbolic links (symlinks) in Linux

Dec 24, 2024 · 3 min read

What Are Symlinks?

In Linux, symbolic links are essentially shortcuts that point to other files or directories. They allow you to reference a file or directory without duplicating its contents. Symlinks are incredibly useful when you need to access or organize files in multiple locations. However, if used carelessly, they can create security vulnerabilities, particularly when root-owned processes interact with user-created symlinks.

Hard Links vs. Symbolic Links

Creating and Using Symlinks

The basic syntax for creating a symlink is:

ln -s [target] [symlink_name]

[target]: The file or directory you want to link to.
[symlink_name]: The name of your symlink.

Examples

# Creating a symlink to a file
ln -s /home/user/documents/file.txt /home/user/desktop/file_link.txt

This creates file_link.txt on your desktop, which behaves like a shortcut to file.txt.

# Creating a symlink to a directory
ln -s /home/user/projects /home/user/desktop/projects_link

Accessing projects_link will take you directly to /home/user/projects.

Overwriting an Existing Symlink

ln -sf /new/target/path /path/to/existing_symlink

The -f option forces the update of the symlink’s target.

Privilege Escalation Using Symlinks

During my Hack The Box challenge, I learned how symlinks can be used to escalate privileges when system configurations are insecure. Here’s how this works:

Scenario: Exploiting a Root-Owned Script

Imagine a script (backup.sh) owned by root regularly copies files from a directory to a root-owned backup location. If the script is designed to follow any symlinks it encounters, this could give normal users access to root-level files.

Steps to Exploit

# Step 1: Remove any existing file at /tmp/important_file
rm -f /tmp/important_file

# Step 2: Create a symlink pointing to /etc/shadow
ln -s /etc/shadow /tmp/important_file

# Step 3: Wait for the root script to run or run it manually if possible

If the root script copies /etc/shadow to a location accessible to the user, the user can potentially gain root-level information and escalate privileges.

Mitigating This Exploit

Conclusion

Symlinks are an incredibly powerful tool for managing files and directories, but they come with inherent risks if not handled carefully. Understanding how symlinks work and the potential security implications is critical for both system administrators and security professionals. Whether you're organizing files or working on penetration testing challenges, symlinks offer both utility and insight into system-level operations.

← All writing