[535] in linux-security and linux-alert archive
Race conditions.
daemon@ATHENA.MIT.EDU (R.E.Wolff@et.tudelft.nl)
Tue Dec 26 13:04:15 1995
To: linux-security@tarsier.cv.nrao.edu
Date: Tue, 26 Dec 1995 14:15:46 +0100 (MET)
From: R.E.Wolff@et.tudelft.nl
> The basic problem is that there is a race condition that exists between
> the point that a program calls mktemp(), and the pathname returned by mktemp
> is actually created. For some programs, the file creation is immediately
> or almost immediately following the mktemp(), resulting in an extremely
> small window of opportunity, and as a result making it very difficult to
> exploit. However, there are other programs that do not immediately open
> the file, and in these cases it is only a matter of getting the timing
> right in order to exploit the hole.
I'd like to educate all the linux-security-conscious people:
A small time-window in which to create a file is NOT secure.
The fliplink trick will yield around 25% chance of succeeding:
create a program that does (the systemcall for):
while (1) {
mv a b
mv b a
}
If "a" is the tmpfile, mktmp has a 50% chance of not finding anything
there. mktmp will use that filename in 50% of the cases. Next the
program opens the file. Now with a 50% chance of finding the "b"
file there. All in all around 25% chance for success.
In practice current computers can call "mktmp" and have created the
tmpfile before their timeslice is over, so in practise it is still
a little bit harder. Other OS's like Sunos are actually worse:
The "mv" calls will perform physical IO, and suspend the flip-program.
This results in a near 100% resultrate.... :-)
Roger Wolff.
--
*** War doesn't determine who's right ****** War determines who's left. ***
** EMail: R.E.Wolff@et.tudelft.nl * Tel +31-15-2783643 or +31-15-2137459 **
*** <a href="http://einstein.et.tudelft.nl/~wolff/">my own homepage</a> ***
