[6156] in bugtraq
Race conditions - alternate patch
daemon@ATHENA.MIT.EDU (=?UNKNOWN-8BIT?Q?Micha=B3?= Zalews)
Sun Feb 22 18:54:52 1998
Date: Sun, 22 Feb 1998 15:16:50 +0100
Reply-To: =?UNKNOWN-8BIT?Q?Micha=B3?= Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
From: =?UNKNOWN-8BIT?Q?Micha=B3?= Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
To: BUGTRAQ@NETSPACE.ORG
Oh, I forgot one important thing. My kernel patch DOES NOT prevent
root from doing stupid and irresponsible things. If root WANT to
write any pipe/file - he can do that. But if you don't trust yourself,
or you're doing everything (compiling, sending mails, ircing...) at
UID=3D0 (huh) - you may modify patch to protect you against yourself
and your stupidity ;) Here's alternate version of patch:
-- race_patch-2.0-supersafe.patch --
'Super-safe race patch' by Michal Zalewski <lcamtuf@staszic.waw.pl>
and Krzysztof G. Baranowski <kgb@manjak.knm.org.pl>
--- linux-2.0.33/fs/namei.c.orig Sun Aug 17 01:23:19 1997
+++ linux-2.0.33/fs/namei.c Sat Feb 21 16:00:20 1998
@@ -19,6 +19,7 @@
#include <linux/fcntl.h>
#include <linux/stat.h>
#include <linux/mm.h>
+#include <linux/config.h>
#define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE])
@@ -405,6 +406,13 @@
iput(inode);
return error;
}
+ #ifdef CONFIG_RACE_FIX
+ if ((S_ISREG(inode->i_mode) || S_ISFIFO(inode->i_mode)) && (dir->i_mo=
de
+ & S_ISVTX) && current->fsuid!=3Dinode->i_uid && (flag & 2)) {
+ iput(inode);
+ return -EPERM;
+ }
+ #endif /* CONFIG_RACE_FIX */
if (S_ISFIFO(inode->i_mode) || S_ISSOCK(inode->i_mode)) {
/*
* 2-Feb-1995 Bruce Perens <Bruce@Pixar.com>
--- linux-2.0.33/fs/Config.in.orig Sat Feb 21 14:37:18 1998
+++ linux-2.0.33/fs/Config.in Sat Feb 21 14:36:56 1998
@@ -4,6 +4,9 @@
mainmenu_option next_comment
comment 'Filesystems'
+if [ "$CONFIG_EXPERIMENTAL" =3D "y" ]; then
+ bool 'Super-safe race conditions patch (EXPERIMENTAL)' CONFIG_RACE_F=
IX
+fi
bool 'Quota support' CONFIG_QUOTA
tristate 'Minix fs support' CONFIG_MINIX_FS
tristate 'Extended fs support' CONFIG_EXT_FS
--- linux-2.0.33/Documentation/Configure.help.orig Sat Sep 6 05:43:58 =
1997
+++ linux-2.0.33/Documentation/Configure.help Sat Feb 21 15:22:43 1998
@@ -2930,6 +2930,18 @@
will skip detection and configuration after all.
N.B. options are case sensitive.
Read Documentation/cdrom/isp16 for details.
+
+Super-safe race conditions patch
+CONFIG_RACE_FIX
+ 'Super-safe race condition fix' disallows users to write files/pipes
+ not owned by them in +t directories, overriding file access mode.
+ This feature prevents 'race conditions'. This patch is experimental.
+ If you're afraid about your security, say Y. Otherwise, if one
+ of more of your programs stops working with this patch, say N,
+ and report your problem to us.
+ Newest version can be obtained from authors, Michal Zalewski
+ <lcamtuf@staszic.waw.pl> and Krzysztof G. Baranowski
+ <kgb@manjak.knm.org.pl>.
Quota support
CONFIG_QUOTA
-- eof --
_______________________________________________________________________
Micha=B3 Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.p=
l]
Iterowa=E6 jest rzecz=B1 ludzk=B1, wykonywa=E6 rekursywnie - bosk=B1 [P=
. Deustch]
=3D--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] ----------------=
-=3D
