[12116] in bugtraq
Re: Fix for ssh-1.2.27 symlink/bind problem
daemon@ATHENA.MIT.EDU (Olaf Seibert)
Tue Oct 5 13:39:03 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.NEB.4.05.9910041250110.25517-100000@klei.intern.polderland.nl>
Date: Mon, 4 Oct 1999 12:58:42 +0200
Reply-To: rhialto@POLDER.UBC.KUN.NL
From: Olaf Seibert <rhialto@POLDER.UBC.KUN.NL>
X-To: Scott Gifford <sgifford@TIR.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <m3hfk9l761.fsf@sgifford.tir.com>
On Sat, 2 Oct 1999, Scott Gifford wrote:
> + /* OK, now we know we're in the directory we created. Nobody can
> + * rmdir() this because we are in it. Nobody besides root can have
> + * made a symlink in here, because they wouldn't have permission.
> + * Lookin' good...
> + **/
Actually, a directory *can* be rmdir()ed when it some process' current
directory. You can try that with a couple of shells for instance. But
once the directory is not empty, it cannot be rmdir()ed anymore. Perhaps
you can use that fact to your advantage.
On the other hand, if you're in an rmdir()ed directory, a chdir ("..")
or a rename("somename", "../somename") also don't work, and it looks
like even creation of new files or sockets will fail too, so this could
probably be used as a detection after the fact.
(all this on NetBSD 1.3.3)
-Olaf.
--
___ Olaf 'Rhialto' Seibert - rhialto@polder.ubc. -- If one tells the truth,
\X/ .kun.nl -- one is, sooner or later, to be found out. (Oscar Wilde)
