[8506] in bugtraq
Re: Xinetd /tmp race?
daemon@ATHENA.MIT.EDU (Glynn Clements)
Wed Nov 11 16:41:03 1998
Date: Wed, 11 Nov 1998 20:00:46 +0000
Reply-To: Glynn Clements <glynn@SENSEI.CO.UK>
From: Glynn Clements <glynn@SENSEI.CO.UK>
X-To: Balazs Nagy <julian7@KVA.HU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.4.02.9811110326440.11996-100000@krondor.kva.hu>
Balazs Nagy wrote:
> If you send SIGHUP to xinetd, you get a dump file to /tmp/xinetd.dump, but
> this method isn't checked against /tmp, and it happily overwrites anything
> in the place of that file. The package has been released in 1997, IMHO this
> is too old to have a bug of this kind hidden.
>
> BTW here's the patch:
[stat() before open() patch]
1. This suffers from a race condition (in fact, this is the textbook
example of a race condition). You need to fstat() the open()ed file,
and check that it's the same file that you just stat()ed.
2. The stat() needs to be an lstat(), to allow for symlinks.
--
Glynn Clements <glynn@sensei.co.uk>