[1023] in bugtraq
Re: mail.local.c patch
daemon@ATHENA.MIT.EDU (Neil Woods)
Sat Feb 18 21:35:02 1995
From: Neil Woods <neil@legless.demon.co.uk>
To: Jon Peatfield <J.S.Peatfield@amtp.cam.ac.uk>
Date: Sun, 19 Feb 1995 01:24:30 +0100 (GMT)
Cc: bugtraq@fc.net
In-Reply-To: <9502181422.AA14522%club.amtp.cam.ac.uk@damtp.cambridge.ac.uk> from "Jon Peatfield" at Feb 18, 95 02:22:37 pm
> /*
> The original version of this has two possible races which can cause
> problems.
>
> The first is when the file we are about to open doesn't exist, in which
> case there is a race between the lstat() and the open() in which someone
> can create a symlink to anywhere. The file pointed at must not exist
> but this still allows the creation of .rhosts etc.
>
From mail.local.c:
if (lstat(path, &sb)) {
mbfd = open(path,
O_APPEND|O_CREAT|O_EXCL|O_WRONLY, S_IRUSR|S_IWUSR);
open(2) doesn't follow symlinks when O_CREAT and O_EXCL are set, so we
don't have a race here. We're doing an lstat(2) to see if path exists,
and to save information about path.
> The second is harder as it must fool the check on the inode number etc.
> I'm not sure if there really is a race here but I get the feeling that
> someone *might* be able to almost fill a file-system, such that they get
> the same inode number after the race.
As we are checking device no as well as inode no, we again avoid race
conditions.
Cheers,
Neil
--
Let the Mystery Be, So Watcha Want, Longing In Their Hearts, Hate My Way,
M-Bike, Safari, Uncle June and Aunt Kiyoti, Daisy Dead Petals, Tuff Gnarl.
...like a badger with an afro throwing sparklers at the Pope...
