[13203] in bugtraq
Re: Symlinks and Cryogenic Sleep
daemon@ATHENA.MIT.EDU (der Mouse)
Tue Jan 4 15:18:14 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-Id: <200001040204.VAA08004@Twig.Rodents.Montreal.QC.CA>
Date: Mon, 3 Jan 2000 21:04:27 -0500
Reply-To: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
From: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
> [symlink-paranoia code]
> However, consider an average setuid root application, [...]. When
> the application reaches the critical section of code between the
> lstat and the open, you stop it by sending it a SIGSTOP.
If you can send it a SIGSTOP, either you're running as root (in which
case you don't *need* to play with symlink races), the application is
running as you (in which case breaking it buys you nothing), or signal
delivery is critically broken.
In fact, I suspect that any process you can SIGSTOP, you can attach to
with ptrace and do whatever you want without need for subtrefuge.
> --for instance a lookup of /tmp/foo (as done by lstat()) will
> change the directory's atime.
"That turns out not to be the case." Or at least, you can't count on
it:
[Sparkle] 115> ls -ldu /tmp
drwxrwxrwt 24 root 2560 Jan 2 21:15 /tmp
[Sparkle] 116> date
Mon Jan 3 23:15:27 EST 2000
[Sparkle] 117> ls -ld /tmp/foobar
/tmp/foobar not found
[Sparkle] 118> ls -ldu /tmp
drwxrwxrwt 24 root 2560 Jan 2 21:15 /tmp
[Sparkle] 119>
der Mouse
mouse@rodents.montreal.qc.ca
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
