I got a question about this vulnerability. I don't quite understand it. I got the article from
Anyhow my configuration is affected because of the way hard links are created. I ran the following script.
ln -s src dst1
ln dst1 dst2
and my system created two symlinks.
lrwxrwxrwx 2 user users 3 Mmm dd hh:mm dst1 -> src
lrwxrwxrwx 2 user users 3 Mmm dd hh:mm dst2 -> src
-rw-r--r-- 1 user users 0 Mmm dd hh:mm src
So according to the article "an attacker can hardlink a root-owned symlink to for example /var/mail, and cause Postfix to append mail to existing files that are owned by root or non-root accounts."
Can somebody give an example of this? As a non-root user I can create a hardlink named "link" to "/var/mail" but "/var/mail" is only a directory so things like
echo test123 > link
have no effect on "/var/mail."
How would an attacker literally create a link to "/var/mail" an append mail to a root or non-root file?
I'd like to understand this.