[300] in Best-of-Security
BoS: Security hole in 2.1.48 + the plug for it :)
daemon@ATHENA.MIT.EDU (Chris Evans)
Mon Aug 11 10:00:15 1997
Date: Mon, 11 Aug 1997 10:36:28 +0100 (BST)
From: Chris Evans <chris@ferret.lmh.ox.ac.uk>
cc: torvalds@transmeta.com
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
Hi,
Over the weekend I started a little patch to actually secure immutable and
append-only files when securelevel is set (writes to block devices are
disallowed, and numerous other things denied).
I poked around the kernel sources, to check for oversights in the handling
of immutable and append-only files, and look what I found....
The patch is relative to 2.1.48. It might be worthwhile backporting it for
inclusion into 2.0.31, to accompany the "rename on top of immutable" fix.
Chris
--- namei-old.c Sun Aug 10 20:10:53 1997
+++ namei.c Sun Aug 10 20:27:54 1997
@@ -10,6 +10,7 @@
/* [Feb 1997 T. Schoebel-Theuer] Complete rewrite of the pathname
* lookup logic.
+ * [Aug 1997 C. Evans] Fix O_TRUNC on append only files security problem.
*/
#include <linux/errno.h>
@@ -579,9 +580,11 @@
}
/*
* An append-only file must be opened in append mode for writing.
- */
+ * Additionally, we must disallow O_TRUNC -- cevans
+ */
error = -EPERM;
- if (IS_APPEND(inode) && ((flag & FMODE_WRITE) && !(flag & O_APPEND)))
+ if (IS_APPEND(inode) && ((flag & O_TRUNC) ||
+ ((flag & FMODE_WRITE) && !(flag & O_APPEND))))
goto exit;
if (flag & O_TRUNC) {
