[13239] in bugtraq
Re: Symlinks and Cryogenic Sleep
daemon@ATHENA.MIT.EDU (Antonomasia)
Wed Jan 5 14:05:00 2000
Message-Id: <200001042232.WAA01957@notatla.demon.co.uk>
Date: Tue, 4 Jan 2000 22:32:16 GMT
Reply-To: Antonomasia <ant@NOTATLA.DEMON.CO.UK>
From: Antonomasia <ant@NOTATLA.DEMON.CO.UK>
X-To: BUGTRAQ@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Olaf Kirch asked about checking files when you reopen them and
questioned the usefulness of
> if (lstat(fname, &stb1) >= 0 && S_ISREG(stb1.st_mode)) {
> fd = open(fname, O_RDWR);
> if (fd < 0 || fstat(fd, &stb2) < 0
> || ino_or_dev_mismatch(&stb1, &stb2))
> raise_big_stink()
> } else {
> /* do the O_EXCL thing */
> }
Mark A. Heilpern" <heilpern@MINDSPRING.COM> and
der Mouse <mouse@RODENTS.MONTREAL.QC.CA> maintain that mortals can only
send a SIGSTOP to their own processes.
When I send a SIGSTOP to a passwd process (uid=me,euid=0) I get:
linux 2.0.36: stopped
linux 2.2.12: stopped
OpenBSD 2.5: stopped
No doubt Olaf selected SIGSTOP in his example because it cannot be handled.
Goetz Babin-Ebell <babinebell@TRUSTCENTER.DE> provided some code which
I've not tested but looks as if it will leak open files and will
call fopen(cpFile,"a"); first and lstat() afterwards. This could lead
to the creation of unintended files at the symlink target. Only comparison
to S_IFLNK is done, leaving named pipes in the running.
It might also be raced either side of the lstat() call. fstat() is not used.
While I'm on this I'll mention a code scanner I wrote last year for checking
file races. It follows a description of an unpublished scanner by Matt Bishop
and Michael Dilger and is demonstrated on sendmail-8.6.10. In Perl.
http://www.notatla.demon.co.uk/SOFTWARE/SCANNER/scanner-1.0b.tar.gz
Olaf's suggested function ino_or_dev_mismatch(&stb1, &stb2) could be
extended to check the file's owner and group remain unchanged. This
means even if a file is switched the attacker gains nothing - he has
to replace it with an equivalent file.
--
##############################################################
# Antonomasia ant@notatla.demon.co.uk #
# See http://www.notatla.demon.co.uk/ #
##############################################################
