[2278] in linux-security and linux-alert archive
[linux-security] Re: Programming ...
daemon@ATHENA.MIT.EDU (Tollef Fog Heen)
Sun Nov 28 05:37:29 1999
To: linux-security@redhat.com
Mime-Version: 1.0 (generated by tm-edit 7.95)
Content-Type: text/plain; charset=US-ASCII
From: Tollef Fog Heen <tollef@add.no>
Date: 27 Nov 1999 23:05:19 +0100
In-Reply-To: Wade Maxfield's message of "Sat, 27 Nov 1999 11:01:16 -0600 (CST)"
Message-ID: <m3iu2n4mlc.fsf@jfog-bb.dep.no>
Resent-From: linux-security@redhat.com
Just some small comments on opening files.
Wade Maxfield <maxfield@ctelcom.net> writes:
> If a perp can create a symlink to a file that a daemon is
> about to delete (such as in a tmp directory), he may get /etc/hosts.deny
> deleted through the daemon not checking.
Please note that according to:
UNLINK(2) Linux Programmer's Manual UNLINK(2)
unlink does _not_ follow symlinks:
If the name referred to a symbolic link the link is
removed.
So, using unlink on a symbolic link is _not_ harmful.
Be sure to set your umask. Don't trust the user starting the
program. Clear your environment, or at least don't trust it. Be sure
to set your path to something trusted.
If this thing is going to be programmed in C, the "correct" way to
create a file is:
open("filename",O_CREAT|O_EXCL|O_WRONLY,whatever_permissions_you_want);
(change O_WRONLY to O_RDWR if you want to read from the file)
Please note that this is _not_ secure over NFS (as the man 2 open page
says), but there is another way (see open(2) man page).
To open an existing file you can do:
open("filename",O_RDWR|O_NOFOLLOW);
This requires kernel 2.1.126 and glibc >= 2.0.100. Else you can use
lstat("filename", statbuf_1);
fd = open("filename", O_RDWR);
fstat(fd,statbuf_2);
if (stabuf_1.ino_t != statbuf_2.ino_t) /* differing inode? */ {
log_this_error;
exit_gracefully_or_error_recovery;
}
Of course, the proper way to do this is a non-shared tmp
directory. This can also be done using a mkdir in /tmp. mkdir does not
follow dangling symlinks.
Also: _Always_, check the return value of each and every function
call. Prepare for unexpected input. Comment your code. This does it
easier for others to see what you intended your code to do.
Read the faq in comp.security.unix and
<URL:ftp://ftp.auscert.org.au/pub/auscert/papers/secure_programming_checklist>
<URL:http://seclab.cs.ucdavis.edu/%257Ebishop/classes/ecs153-98-winter/robust.html>
<URL:http://seclab.cs.ucdavis.edu/%257Ebishop/scriv/>
<URL:http://www.dnaco.net/%257Ekragen/security-holes.html>
<URL:http://www.homeport.org/%257Eadam/review.html>
--
Tollef Fog Heen
Unix _IS_ user friendly... It's just selective about who its friends are.
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null
