Bugtraq mailing list archives
Re: SUMMARY Security Info (root broken)
From: rwing!pat () ole cdac com (Pat Myrto)
Date: Mon, 3 Oct 94 21:40:55 PDT
"In the previous message, Luke Mewburn said..."
[ ... ]
I've looked at the 4.4BSD-lite (NetBSD uses this) mail.local.c and at
first, thought there was a potential race condition in the code
where it does an lstat check then an open, thinking there was a race
condition. Checking the man page for open() however, revealed the
following tidbits:
If path is a symbolic link and O_CREAT and O_EXCL are set,
the link is not followed.
(From Solaris 2.3, and the NetBSD-current man page says something
similar.)
So, it seems that a standard (POSIX?) has explicitly given us a method
to atomically create a file if it doesn't exist, whilst at the same
time not getting fooled by a dangling symlink (which is a common way
to exploit setuid race conditions, correct?)
Now, I don't know if this helps people on systems where this behaviour
doesn't exist (I'm not sure if Sunos 4 supports this, for example.)
I dunno either, but I am sure going to check it out. If it is true on SunOS too, you may have hit upon a real gem.
It's the creating of the new file by a priviliged process that is the critical region that so often gets spoofed by a race condition. I have some (simple - thus easy to follow and assure is correct - I hope :) code at home that I was working on which should work without a race condition (using the atomic link()), so I'll post it tomorrow to get disected by those with more experience than I. If it does work the way I expect it to, I feel that a simpler, more effective, mail.local could be implemented that didn't rely upon the O_CREAT | O_EXCL feature of newer systems I described above...
Please do. The more ideas, the better. They can be transplanted to other problem spots, or stuck in a 'trick bag' to call on when writing one's own SUID util. -- pat@rwing [If all fails, try: rwing!pat () eskimo com] Pat Myrto - Seattle WA "No one has the right to destroy another person's belief by demanding empirical evidence." -- Ann Landers, nationally syndicated advice columnist and Director at Handgun Control Inc.
Current thread:
- [Tim Newsham: IRIX Race Conditions] Tim Newsham (Oct 02)
- <Possible follow-ups>
- [Tim Newsham: IRIX Race Conditions] Tim Newsham (Oct 02)
- Re: your mail Joseph W. Stroup (Oct 02)
- SUMMARY Security Info (root broken) Pat Myrto (Oct 03)
- Re: SUMMARY Security Info (root broken) Luke Mewburn (Oct 03)
- Re: SUMMARY Security Info (root broken) Pat Myrto (Oct 03)
- Re: SUMMARY Security Info (root broken) Casper Dik (Oct 04)
- [Tim Newsham: IRIX Race Conditions] Tim Newsham (Oct 02)
- [Tim Newsham: IRIX Race Conditions] Tim Newsham (Oct 02)
- [Tim Newsham: IRIX Race Conditions] Brent Chapman (Oct 02)