[14838] in bugtraq
Re: Race condition in "rm -r"
daemon@ATHENA.MIT.EDU (David Brownlee)
Mon May 8 14:59:16 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.NEB.4.21.0005071952120.2199-100000@IP113.BM.PurpleI.com>
Date: Sun, 7 May 2000 19:55:22 +0100
Reply-To: abs@MONO.ORG
From: David Brownlee <abs@MONO.ORG>
X-To: Glynn Clements <glynn@SENSEI.CO.UK>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <14612.37604.614357.770670@cerise.sensei.co.uk>
On Sat, 6 May 2000, Glynn Clements wrote:
> > Also affected:
> >
> > chmod, chown, chgrp. (Probably; this is guesswork.)
>
> ... and every other program that modifies the filesystem in any way,
> unless it jumps through the same hoops.
>
> If, that is, you let them near directories with unsafe permissions.
>
> In the long term, there are three main options:
>
> 1. Abolish symlinks. This might be considered overkill, though.
>
> 2. Write every program as if it was a /tmp cleaner. I.e. never pass
> full pathnames to system calls, but chdir() down one level at a time
> from "/", [lf]stat()ing as you go and never following symlinks, then
> open("./filename"). In which case, you may as well abolish symlinks.
>
> 3. Don't do dangerous things in world-writable directories. Better
> still, get rid of world-writable directories altogether; it isn't that
> difficult. IOW, fix the bug, not the symptoms.
4. Add an option to not traverse symlinks in system calls.
Call realpath() on initial argument before setting.
David/absolute
-- www.netbsd.org: No hype required --
