Re: SUMMARY Security Info (root broken)

Pat Myrto (rwing!pat@ole.cdac.com)
Mon, 3 Oct 94 21:40:55 PDT

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: G.J.W. Hagenaars: "Re: Wanted: hackers for tiger team (new england area)"
Previous message: Christopher Klaus: "Re: Lets make sure these are fixed (was: Tim Newsham)"
In reply to: Luke Mewburn: "Re: SUMMARY Security Info (root broken)"
Next in thread: Casper Dik: "Re: SUMMARY Security Info (root broken)"

"In the previous message, Luke Mewburn said..."
> 
>  [ ... ]
>
> I've looked at the 4.4BSD-lite (NetBSD uses this) mail.local.c and at
> first, thought there was a potential race condition in the code
> where it does an lstat check then an open, thinking there was a race
> condition. Checking the man page for open() however, revealed the
> following tidbits:
> 	If path is a symbolic link and O_CREAT and O_EXCL are set,
> 	 the link is not followed.
> (From Solaris 2.3, and the NetBSD-current man page says something
> similar.)
> 
> So, it seems that a standard (POSIX?) has explicitly given us a method
> to atomically create a file if it doesn't exist, whilst at the same
> time not getting fooled by a dangling symlink (which is a common way
> to exploit setuid race conditions, correct?)
> 
> Now, I don't know if this helps people on systems where this behaviour
> doesn't exist (I'm not sure if Sunos 4 supports this, for example.)
 
I dunno either, but I am sure going to check it out.  If it is true
on SunOS too, you may have hit upon a real gem.

> It's the creating of the new file by a priviliged process that
> is the critical region that so often gets spoofed by a race
> condition.  I have some (simple - thus easy to follow and assure
> is correct - I hope :) code at home that I was working on which should
> work without a race condition (using the atomic link()), so I'll
> post it tomorrow to get disected by those with more experience than
> I. If it does work the way I expect it to, I feel that a simpler,
> more effective, mail.local could be implemented that didn't rely upon
> the O_CREAT | O_EXCL feature of newer systems I described above...

Please do.  The more ideas, the better.  They can be transplanted to
other problem spots, or stuck in a 'trick bag' to call on when writing
one's own SUID util.

-- 
pat@rwing  [If all fails, try:  rwing!pat@eskimo.com]  Pat Myrto - Seattle WA
"No one has the right to destroy another person's belief by demanding
empirical evidence."  --   Ann Landers, nationally syndicated advice columnist
and Director at Handgun Control Inc.

Next message: G.J.W. Hagenaars: "Re: Wanted: hackers for tiger team (new england area)"
Previous message: Christopher Klaus: "Re: Lets make sure these are fixed (was: Tim Newsham)"
In reply to: Luke Mewburn: "Re: SUMMARY Security Info (root broken)"
Next in thread: Casper Dik: "Re: SUMMARY Security Info (root broken)"