OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: Re: Symlinks and Cryogenic Sleep

Re: Symlinks and Cryogenic Sleep

Subject: Re: Symlinks and Cryogenic Sleep
From: der Mouse (mouseRODENTS.MONTREAL.QC.CA)
Date: Mon Jan 03 2000 - 20:04:27 CST

> [symlink-paranoia code]

> However, consider an average setuid root application, [...]. When
> the application reaches the critical section of code between the
> lstat and the open, you stop it by sending it a SIGSTOP.

If you can send it a SIGSTOP, either you're running as root (in which
case you don't *need* to play with symlink races), the application is
running as you (in which case breaking it buys you nothing), or signal
delivery is critically broken.

In fact, I suspect that any process you can SIGSTOP, you can attach to
with ptrace and do whatever you want without need for subtrefuge.

> --for instance a lookup of /tmp/foo (as done by lstat()) will
> change the directory's atime.

"That turns out not to be the case." Or at least, you can't count on
it:

[Sparkle] 115> ls -ldu /tmp
drwxrwxrwt 24 root 2560 Jan 2 21:15 /tmp
[Sparkle] 116> date
Mon Jan 3 23:15:27 EST 2000
[Sparkle] 117> ls -ld /tmp/foobar
/tmp/foobar not found
[Sparkle] 118> ls -ldu /tmp
drwxrwxrwt 24 root 2560 Jan 2 21:15 /tmp
[Sparkle] 119>

                                        der Mouse

                               mouserodents.montreal.qc.ca
                     7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B

This archive was generated by hypermail 2b27 : Tue Jan 04 2000 - 14:17:43 CST