On 01/29/2017 05:07 PM, Alan McKinnon wrote:
>
> Sure it can be done, just don't chown -R <user> ~user. DO it the VERY
> long way round, file by file. Say you changed user "awesome" uid 300 to 400:
>
> find / -uid 300 -exec chown awesome {} \+
>
That will find symlinks created by UID 300, and chown will follow them
to give "awesome" ownership of the TARGET of the symlink; an easy root
exploit. If you are about to suggest "find -type f" or the
"--no-dereference" flag, then beware that chown will also follow
hardlinks and you're still screwed (albeit limited to one filesystem,
and on vanilla kernels).
