[316] in linux-security and linux-alert archive
Another denial-of-service...
daemon@ATHENA.MIT.EDU (Marek Michalkiewicz)
Sat Aug 12 14:19:29 1995
From: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
To: linux-security@tarsier.cv.nrao.edu
Date: Wed, 9 Aug 1995 20:03:55 +0200 (MET DST)
While we are at various denial-of-service attacks: there is another one
with flock(), found while reading util-linux-2.4/login-utils/login.c -
here is the offending piece of code:
if((wtmp = open(_PATH_WTMP, O_APPEND|O_WRONLY)) >= 0) {
flock(wtmp, LOCK_EX);
write(wtmp, (char *)&ut, sizeof(ut));
flock(wtmp, LOCK_UN);
close(wtmp);
}
Anyone can get an exclusive lock using flock(fd, LOCK_EX) on any file
which can be opened even read-only. I don't know if this is the correct
flock semantics or not; the fcntl-style locking requires write access
to get an exclusive lock, flock (emulated in libc by using fcntl() with
different parameters) doesn't.
Just write a trivial program doing something like this:
fd = open("/var/adm/wtmp", O_RDONLY);
flock(fd, LOCK_EX);
pause();
and no one can log in because login will block trying to get exclusive
access to wtmp. Kill this process and everything will be fine again.
I don't know why login needs exclusive access to wtmp; isn't O_APPEND
enough to guarantee atomic writes at end of file? I believe it is,
and the two flock calls can be safely removed.
If flock does the right thing now, it should not be used to lock any
important system files readable by users; use fcntl instead!
Marek
