[2709] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

pending/407: bug in rcache/rc_io.c

daemon@ATHENA.MIT.EDU (Patrick Powell)
Fri Mar 28 19:11:15 1997

Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: gnats-admin@rt-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, Patrick Powell <papowell@dickory.sdsu.edu>
Date: Fri, 28 Mar 1997 16:06:59 -0800 (PST)
From: Patrick Powell <papowell@dickory.sdsu.edu>
To: krb5-bugs@MIT.EDU


>Number:         407
>Category:       pending
>Synopsis:       bug in rcache/rc_io.c
>Confidential:   yes
>Severity:       serious
>Priority:       medium
>Responsible:    gnats-admin
>State:          open
>Class:          sw-bug
>Submitter-Id:   unknown
>Arrival-Date:   Fri Mar 28 19:09:00 EST 1997
>Last-Modified:
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Unformatted:
Sorry not to use the reporter,  but the system I am mailing from
is not the one that has the Kerberos distribution and support.

Problem: /kerberos/krb5-1.0/src/lib/krb5/rcache/rc_io.c
  - this routine is used to check that a cache file has been created
    and has the right ownerships.  The problem is that it does not
    work correctly with SUID programs,  and it does not check to see
    that the file is really owned by the right person.

    There is a race condition here -  the file is 'stat'ed, and then
    opened - this allows a window of opportunity for a user to do funny things...
    You want to OPEN the file and then use FSTAT to check it.


*** /mnt/papowell/kerberos/krb5-1.0/src/lib/krb5/rcache/rc_io.c	Fri Mar 28 10:42:31 1997
--- rc_io.c.orig	Fri Mar 28 10:15:13 1997
***************
*** 168,174 ****
--- 168,176 ----
  {
   krb5_int16 rc_vno;
   krb5_error_code retval;
+ #ifndef NO_USERID
   struct stat statb;
+ #endif
  
   GETDIR;
   if (!(d->fn = malloc(strlen(fn) + dirlen + 1)))
***************
*** 177,198 ****
   (void) strcat(d->fn,PATH_SEPARATOR);
   (void) strcat(d->fn,fn);
  
   d->fd = THREEPARAMOPEN(d->fn,O_RDWR | O_BINARY,0600);
!  if(d->fd == -1 || (d->fd = stat(d->fn, &statb)) == -1
!     || ((statb.st_mode & S_IFMT) != S_IFREG)) {
! 	retval = KRB5_RC_IO_PERM; 
! 	goto fail;
!  }
! #ifndef NO_USERID
!      /* must be owned by either the user or effective user,
! 	  * to prevent some security problems with
! 	  * other users modifying replay cache stufff */
!  else if ((statb.st_uid != geteuid() && statb.st_uid != getuid() )){
! 	 retval = KRB5_RC_IO_PERM;
! 	 goto fail;
   }
  #endif
- 
   if (d->fd == -1) {
     switch(errno)
      {
--- 179,200 ----
   (void) strcat(d->fn,PATH_SEPARATOR);
   (void) strcat(d->fn,fn);
  
+ #ifdef NO_USERID
   d->fd = THREEPARAMOPEN(d->fn,O_RDWR | O_BINARY,0600);
! #else
!  if ((d->fd = stat(d->fn, &statb)) != -1) {
!      uid_t me;
! 
!      me = getuid();
!      /* must be owned by this user, to prevent some security problems with
! 	 * other users modifying replay cache stufff */
!      if ((statb.st_uid != me) || ((statb.st_mode & S_IFMT) != S_IFREG)) {
! 	 FREE(d->fn);
! 	 return KRB5_RC_IO_PERM;
!      }
!      d->fd = THREEPARAMOPEN(d->fn,O_RDWR | O_BINARY,0600);
   }
  #endif
   if (d->fd == -1) {
     switch(errno)
      {

home help back first fref pref prev next nref lref last post