[2892] in Kerberos-V5-bugs
pending/560: BUG: possible lib/krb4/tf_util.c race condition
daemon@ATHENA.MIT.EDU (Larry Schwimmer)
Tue Mar 17 18:51:14 1998
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: gnats-admin@rt-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU,
Larry Schwimmer <schwim@whatmore.Stanford.EDU>
Date: Tue, 17 Mar 1998 15:50:32 -0800 (PST)
From: Larry Schwimmer <schwim@whatmore.Stanford.EDU>
To: krb5-bugs@MIT.EDU
Cc: schwim@leland.Stanford.EDU
>Number: 560
>Category: pending
>Synopsis: BUG: possible lib/krb4/tf_util.c race condition
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: gnats-admin
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Mar 17 18:51:00 EST 1998
>Last-Modified:
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Unformatted:
Submitter-Id: net
Originator: Larry Schwimmer
Confidential: no
Synopsis: tf_init has a /tmp race condition
Severity: serious
Priority: medium
Category: krb5-libs
Class: sw-bug
Release: 1.0.5
Environment: All
Description:
tf_init uses lstat to check the permissions on the ticket
file. Since lstat+open is not atomic, a race condition exists. Since
the open call only specifies O_RDWR and the call may be made by root
for a regular user, it is a potential root-level exploit for code
using the krb4 compatibility library.
How-To-Repeat:
Read the code.
Fix:
Replace
lstat + open(O_RDWR)
with
open(O_RDWR|O_CREAT|O_EXCL) + fstat
for the write call and
open(O_RDONLY|O_NONBLOCK) + fstat.
for the read call. This eliminates the race condition since the file
descriptor checked by fstat is the file that was created or read.
This eliminates the symlink problem by using O_CREAT|O_EXCL. This
eliminates the blocking problem (as a named pipe could do) by
specifying O_NONBLOCK.
yours,
Larry Schwimmer
schwim@leland.stanford.edu
Leland Systems Group
