The file `$HOME/.config/Yubico/u2f_keys` is blindly followed by the PAM module. It can be a symlink pointing to an arbitrary file. The PAM module only rejects non-regular files and files owned by other users than root or the to-be-authenticated user. Even these checks are only made after open()'ing the file, which may already trigger certain logic in the kernel that is otherwise not reachable to regular users.
Tag: Symlink Attack
ASA-2018-00092 – systemd: Privilege escalation by following non-terminal symlinks
Before version v240, the systemd-tmpfiles program will follow symlinks present in a non-terminal path component while adjusting permissions and ownership. Often -- and particularly with "Z" type entries -- an attacker can introduce such a symlink and take control of arbitrary files on the system to gain root. The "fs.protected_symlinks" sysctl does not prevent this attack. Version v239 contained a partial fix, but only for the easy-to-exploit recursive "Z" type entries.