[3002] in Kerberos
Re: [kerberos] Re: Problem with krb5_db_destroy
daemon@ATHENA.MIT.EDU (Steve Lunt)
Mon Feb 7 14:45:09 1994
Date: Mon, 7 Feb 1994 14:29:20 -0500
From: Steve Lunt <lunt@ctt.bellcore.com>
To: pshuang@MIT.EDU
Cc: kerberos@MIT.EDU
I added code to zero out the stored records in the database
before destroying it.
-- Steve
Steven J. Lunt lunt@bellcore.com
Information Technology Security RRC 1L-213
Bellcore 444 Hoes Lane
(908) 699-4244 Piscataway, NJ 08854
> Date: Thu, 3 Feb 94 18:50:53 -0500
> From: pshuang@MIT.EDU (Ping Huang)
> To: Steve Lunt <lunt@ctt.bellcore.com>
> Subject: [kerberos] Re: Problem with krb5_db_destroy
>
> > The routine to destroy a database writes zeros to the ndbm files
> > before unlinking them. This is unwise, since the ndbm files are mostly
> > holes, and writing to them fills in the holes. I ran out of space on my
> > file system while destroying the database! Here's a fix.
>
> To not zero out the the database file before destroying it is insecure
> since you're leaving the contents of the database on the disk, where
> they may become accessible to non-privileged processes when that disk
> space is reused.
>
> ...
>
> ---
> Yours in Leadership, Friendship, and Service,
> Ping Huang (INTERNET: pshuang@mit.edu), probably speaking for himself
***************
*** 873,879 ****
}
/*
! * Destroy the database. Zero's out all of the files, just to be sure.
*/
krb5_error_code
destroy_file_suffix(dbname, suffix)
--- 926,932 ----
}
/*
! * Destroy the database.
*/
krb5_error_code
destroy_file_suffix(dbname, suffix)
***************
*** 881,924 ****
char *suffix;
{
char *filename;
- struct stat statb;
- int nb,fd,i;
- char buf[BUFSIZ];
filename = gen_dbsuffix(dbname, suffix);
if (filename == 0)
return ENOMEM;
- if ((fd = open(filename, O_RDWR, 0)) < 0) {
- int retval = errno == ENOENT ? 0 : errno;
- free(filename);
- return retval;
- }
- /* fstat() will probably not fail unless using a remote filesystem
- (which is inappropriate for the kerberos database) so this check
- is mostly paranoia. */
- if (fstat(fd, &statb) == -1) {
- int retval = errno;
- free(filename);
- return retval;
- }
- i = 0;
- while (i < statb.st_size) {
- nb = write(fd, buf, BUFSIZ);
- if (nb < 0) {
- int retval = errno;
- free(filename);
- return retval;
- }
- i += nb;
- }
- /* ??? Is fsync really needed? I don't know of any non-networked
- filesystem which will discard queued writes to disk if a file
- is deleted after it is closed. --jfc */
- #ifndef NOFSYNC
- fsync(fd);
- #endif
- close(fd);
-
if (unlink(filename)) {
int retval = errno;
free(filename);
--- 934,943 ----
***************
*** 932,939 ****
--- 951,974 ----
krb5_dbm_db_destroy(dbname)
char *dbname;
{
+ datum key, contents;
+ DBM *db;
krb5_error_code retval;
+ if ((db = dbm_open(dbname, O_RDONLY, 0600)) == NULL) {
+ retval = errno;
+ return retval;
+ }
+
+ /* Zero out contents */
+ for (key = dbm_firstkey (db); key.dptr != NULL; key = dbm_next(db, key)) {
+ contents = dbm_fetch (db, key);
+ memset((char *)contents.dptr, 0, contents.dsize);
+ if (dbm_store(db, key, contents, DBM_REPLACE))
+ return errno;
+ }
+ (void) dbm_close(db);
+
if (retval = destroy_file_suffix(dbname, ".pag"))
return(retval);
if (retval = destroy_file_suffix(dbname, ".dir"))
