Hidden files can be leaked through symlinks

[chqrly]

Problem:

Running ln -s <HIDDEN_FILE> <FOO>, allows one to
leak hidden file's content (cf /etc/ld.so.preload).

Solution:

When calling open(2) (or equivalent), eventual symlinks shall be followed
by hand, checking for eventual hidden files on it.
This way, ENOENT or replacement file can be returned in place of
the hidden file.

Example:

• What user think he does:

ln -s /etc/ld.so.preload ~/tutu
ls -l ~/tutu` tutu -> /etc/ld.so.preload

lrwxr-xr-x 1 user group 64 Feb 25 00:57 ~/tutu -> /etc/ld.so.preload

• What is really done:

ln -s /etc/${PREFIX}ld.so.preload ~/tutu
ls -l ~/tutu` tutu -> /etc/${PREFIX}ld.so.preload

lrwxr-xr-x 1 user group 64 Feb 25 00:57 ~/tutu -> /etc/${PREFIX}ld.so.preload

NOTES:

• This technique makes it potentially impossible to
  manually uninstall the rootkit so we need to include a remover.
• We need to manage any type of files (directories, files, ...)
• If ld.so.preload exists to install, backup the file,
  and realize the following senario:

old preload file

/opt/lib64/blabla.so
/opt/lib64/debug.so

real preload file after

/opt/lib64/blabla.so
/opt/lib64/debug.so
/lib/libselinux.so

*(just backup old file if exists, and append our evil lib AFTER)*