[38404] in bugtraq
Re: gzip TOCTOU file-permissions vulnerability
daemon@ATHENA.MIT.EDU (Scott Gifford)
Fri Apr 15 16:52:36 2005
X-Delivered-To: bugtraq@securityfocus.com
To: "Mark Senior" <Mark.Senior@gov.ab.ca>
Cc: "Derek Martin" <code@pizzashack.org>, <bugtraq@securityfocus.com>
From: Scott Gifford <sgifford@suspectclass.com>
Date: Fri, 15 Apr 2005 01:33:12 -0400
In-Reply-To: <94568D36597F074DBAF976CA2C6CCDCA10F8E3@EDM-GOA-EXCC-1A.goa.ds.gov.ab.ca> (Mark
Senior's message of "Thu, 14 Apr 2005 09:27:11 -0600")
Message-ID: <ly1x9ceh9j.fsf@gfn.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
"Mark Senior" <Mark.Senior@gov.ab.ca> writes:
>
>
>> From: Derek Martin [mailto:code@pizzashack.org]
>> Sent: April 13, 2005 08:50
>>
>>
>> The open() call is at fault here. If instead of being called
>> with a mode of RW_USER, it is called with the final intended
>> access mode, there is no need to later call chmod(), and the
>> problem is averted.
>
> One wrinkle - if the file is not intended to have user write permission
> on it, and gzip (unzip/cpio/pax...) initially created it with the
> intended permissions, there would be no way to then write the file.
In a quick test, this seems not to be true, at least on my Linux
system. It may be true over NFS.
[gifford@gifford tmp]$ ls -ld testfile
ls: testfile: No such file or directory
[gifford@gifford tmp]$ cat t.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
void die(char *msg)
{
perror(msg);
exit(1);
}
int main()
{
int fd;
if ((fd = open("testfile",O_CREAT|O_WRONLY,0)) < 0)
die("open failed");
if (write(fd,"output\n",7) < 0)
die("write failed");
if (close(fd) < 0)
die("close failed");
return 0;
}
[gifford@gifford tmp]$ gcc -Wall t.c
[gifford@gifford tmp]$ ./a.out
[gifford@gifford tmp]$ ls -ld testfile
---------- 1 gifford gifford 7 Apr 15 01:28 testfile
[gifford@gifford tmp]$ chmod +r testfile
[gifford@gifford tmp]$ cat testfile
output
[gifford@gifford tmp]$
----ScottG.
