Symbolic links (symlinks) in Linux
What Are Symlinks?
In Linux, symbolic links are essentially shortcuts that point to other files or directories. They allow you to reference a file or directory without duplicating its contents. Symlinks are incredibly useful when you need to access or organize files in multiple locations. However, if used carelessly, they can create security vulnerabilities, particularly when root-owned processes interact with user-created symlinks.
Hard Links vs. Symbolic Links
- Hard Links: Direct references to data on disk. Hard links share the same inode with the original file, meaning they’re identical and can’t link to directories.
- Symbolic Links (Symlinks): References that point to the path of a target file or directory. Symlinks are separate from the original file’s data, so deleting the target will break the link.
Creating and Using Symlinks
The basic syntax for creating a symlink is:
ln -s [target] [symlink_name]
• [target]: The file or directory you want to link to.
• [symlink_name]: The name of your symlink.
Examples
# Creating a symlink to a file
ln -s /home/user/documents/file.txt /home/user/desktop/file_link.txt
This creates file_link.txt on your desktop, which behaves like a shortcut to file.txt.
# Creating a symlink to a directory
ln -s /home/user/projects /home/user/desktop/projects_link
Accessing projects_link will take you directly to /home/user/projects.
Overwriting an Existing Symlink
ln -sf /new/target/path /path/to/existing_symlink
The -f option forces the update of the symlink’s target.
Privilege Escalation Using Symlinks
During my Hack The Box challenge, I learned how symlinks can be used to escalate privileges when system configurations are insecure. Here’s how this works:
Scenario: Exploiting a Root-Owned Script
Imagine a script (backup.sh) owned by root regularly copies files from a directory to a root-owned backup location. If the script is designed to follow any symlinks it encounters, this could give normal users access to root-level files.
Steps to Exploit
# Step 1: Remove any existing file at /tmp/important_file
rm -f /tmp/important_file
# Step 2: Create a symlink pointing to /etc/shadow
ln -s /etc/shadow /tmp/important_file
# Step 3: Wait for the root script to run or run it manually if possible
If the root script copies /etc/shadow to a location accessible to the user, the user can potentially gain root-level information and escalate privileges.
Mitigating This Exploit
- Avoid Following Symlinks in Scripts: Avoid copying or modifying files without checking for symlinks, especially in root-owned scripts.
- Use the
-POption incp: This flag tellscpnot to follow symlinks, helping to prevent exploitation. - Restrict Writable Directories: Limit permissions on directories where files are written or manipulated by privileged processes.
Conclusion
Symlinks are an incredibly powerful tool for managing files and directories, but they come with inherent risks if not handled carefully. Understanding how symlinks work and the potential security implications is critical for both system administrators and security professionals. Whether you're organizing files or working on penetration testing challenges, symlinks offer both utility and insight into system-level operations.