Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2000-01

Bugtraq Archives: Re: Symlinks and Cryogenic Sleep

Re: Symlinks and Cryogenic Sleep

Subject: Re: Symlinks and Cryogenic Sleep
From: Antonomasia (antNOTATLA.DEMON.CO.UK)
Date: Tue Jan 04 2000 - 16:32:16 CST

Next message: Nick Phillips: "JS problem in NS4.5 - known?"
Previous message: Henrik Nordstrom: "Re: Symlinks and Cryogenic Sleep"
Maybe in reply to: Olaf Kirch: "Symlinks and Cryogenic Sleep"
Next in thread: John Cochran: "Re: Symlinks and Cryogenic Sleep"
Maybe reply: Antonomasia: "Re: Symlinks and Cryogenic Sleep"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Olaf Kirch asked about checking files when you reopen them and
questioned the usefulness of

> if (lstat(fname, &stb1) >= 0 && S_ISREG(stb1.st_mode)) {
> fd = open(fname, O_RDWR);
> if (fd < 0 || fstat(fd, &stb2) < 0
> || ino_or_dev_mismatch(&stb1, &stb2))
> raise_big_stink()
> } else {
> /* do the O_EXCL thing */
> }

Mark A. Heilpern" <heilpernMINDSPRING.COM> and
der Mouse <mouseRODENTS.MONTREAL.QC.CA> maintain that mortals can only
send a SIGSTOP to their own processes.

When I send a SIGSTOP to a passwd process (uid=me,euid=0) I get:

linux 2.0.36: stopped
linux 2.2.12: stopped
OpenBSD 2.5: stopped

No doubt Olaf selected SIGSTOP in his example because it cannot be handled.

Goetz Babin-Ebell <babinebellTRUSTCENTER.DE> provided some code which
I've not tested but looks as if it will leak open files and will
call fopen(cpFile,"a"); first and lstat() afterwards. This could lead
to the creation of unintended files at the symlink target. Only comparison
to S_IFLNK is done, leaving named pipes in the running.
It might also be raced either side of the lstat() call. fstat() is not used.

While I'm on this I'll mention a code scanner I wrote last year for checking
file races. It follows a description of an unpublished scanner by Matt Bishop
and Michael Dilger and is demonstrated on sendmail-8.6.10. In Perl.
http://www.notatla.demon.co.uk/SOFTWARE/SCANNER/scanner-1.0b.tar.gz

Olaf's suggested function ino_or_dev_mismatch(&stb1, &stb2) could be
extended to check the file's owner and group remain unchanged. This
means even if a file is switched the attacker gains nothing - he has
to replace it with an equivalent file.

--
##############################################################
# Antonomasia   antnotatla.demon.co.uk                      #
# See http://www.notatla.demon.co.uk/                        #
##############################################################

Next message: Nick Phillips: "JS problem in NS4.5 - known?"
Previous message: Henrik Nordstrom: "Re: Symlinks and Cryogenic Sleep"
Maybe in reply to: Olaf Kirch: "Symlinks and Cryogenic Sleep"
Next in thread: John Cochran: "Re: Symlinks and Cryogenic Sleep"
Maybe reply: Antonomasia: "Re: Symlinks and Cryogenic Sleep"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Wed Jan 05 2000 - 12:26:28 CST