RedHat dhcp Symbolic Link Vulnerability
When configuring a dhcp interface in RedHat Linux 5.0, a script is called at the end that copies /etc/dhcpc/resolv.conf to /etc as shown below:
if [ -f /etc/dhcpc/resolv.conf ]; then
echo "setting up resolv.conf" >> /tmp/dhcplog
cp /etc/dhcpc/resolv.conf /etc
Since the script runs as root, if /tmp/dhcplog is a symbolic link, any file pointed to by the dhcplog symlink be appended by "setting up resolv.conf".