[38401] in bugtraq
Re: gzip TOCTOU file-permissions vulnerability
daemon@ATHENA.MIT.EDU (Peter J. Holzer)
Fri Apr 15 15:47:43 2005
Date: Fri, 15 Apr 2005 13:31:48 +0200
From: "Peter J. Holzer" <hjp@wsr.ac.at>
To: bugtraq@securityfocus.com
Message-ID: <20050415113148.GT22499@wsr.ac.at>
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="PLOb/g6AMdJ1vPHZ"
Content-Disposition: inline
In-Reply-To: <94568D36597F074DBAF976CA2C6CCDCA10F8E3@EDM-GOA-EXCC-1A.goa.ds.gov.ab.ca>
--PLOb/g6AMdJ1vPHZ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 2005-04-14 09:27:11 -0600, Mark Senior wrote:
> > From: Derek Martin [mailto:code@pizzashack.org]=20
> > Sent: April 13, 2005 08:50
> > The open() call is at fault here. If instead of being called=20
> > with a mode of RW_USER, it is called with the final intended=20
> > access mode, there is no need to later call chmod(), and the=20
> > problem is averted.
>=20
> One wrinkle - if the file is not intended to have user write permission
> on it, and gzip (unzip/cpio/pax...) initially created it with the
> intended permissions, there would be no way to then write the file.
I don't know about Windows, but on POSIX systems you can create a file
without write permissions and still write to it.=20
A small example from the shell:
bernon:~/tmp 12:58 121% umask 0777
bernon:~/tmp 12:58 122% echo foo > bar
bernon:~/tmp 12:58 123% ll bar
---------- 1 hjp sysadm 4 Apr 15 12:58 bar
As you can see, the file has no permissions, but still length 4.
This trick is sometimes used for lock files.
hp
--=20
_ | Peter J. Holzer \Beta means "we're down to fixing misspelled commen=
ts in
|_|_) | Sysadmin WSR \the source, and you might run into a memory leak =
if=20
| | | hjp@wsr.ac.at \you enable embedded haskell as a loadable module=
and
__/ | http://www.hjp.at/ \write your plugins upside-down in lisp". --ae@o=
p5.se
--PLOb/g6AMdJ1vPHZ
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iQDQAwUBQl+mJFLjemazOuKpAQGPGQXSA2dezgrYpDniTtpZhTz3+iO3Ke+WxZL2
pvxD0LOaPlZVLYpsNl9knawGKILoJRHhyXm43jp+bcpqZeE8hRaMaDyzYy/J/pgo
OifajA+A10Hx2PPrCNcUB+Z/+Pen9QFjxB15iFSCWsAm0MYLzYJtnx1LenYjPvEl
IJq7Itf5j4dVto24Ph4/kc35GOa7ppidtOqEdOb0nsEpwSvkK2mPBgJZiBFRZipF
CQUtfZBflcd7kt+Plku1zjQhlA==
=Ur/V
-----END PGP SIGNATURE-----
--PLOb/g6AMdJ1vPHZ--
