Bugtraq mailing list archives
Re: BUGTRAQ ALERT: Solaris 2.x vulnerability
From: avalon () coombs anu edu au (Darren Reed)
Date: Thu, 17 Aug 1995 18:57:43 +1000
In some mail from Nathan Lawson, sie said:
On Wed, 16 Aug 1995, Nathan Lawson wrote:The /tmp/.psXXXXXX is open to a race. The directory is safe as long as it isn't world writable.Mind to expand on this? Who would tiss work. The /tmp directory *does* have the sticky bit so we cant rm the file and substitute it. Are you talkingYes. Basically, Irix uses an insecure method of making a temp file based on pid, just like any other OS that uses blahXXXXXX. If you are going to use a predictable filename, then you'd better open it securely. Hobbit posted a very good method a while back during some binmail fiasco. Basically, with a temp file, you are creating a file. The way he described was to open the file with O_EXCL so it doesn't follow symlinks. Then, lstat the file and make sure it is not a link. Lastly, stat the file and make sure it has the same inode as found in the lstat call.
I think this is what Sun did...and fell over. Even doing all of those things would not have prevented the Sun bug in ps. What all those checks do is fail to realise that the file they have open is not necessarily that is there on disk. What they needed to do was use fchown(). Had they used fchown instead of chown, there would be no bug, regardless of the permissions on /tmp. Similarly, you should be using fstat above, not just stat/lstat. Once you've opened a file, any further check on it which doesn't use the fd is raceable, if it can be changed, such as permissions on /tmp usually allow. darren
Current thread:
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability, (continued)
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Brian Perkins (Aug 15)
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Sam Quigley (Aug 15)
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Alexander L. Haiut (Aug 16)
- /proc ps for Solaris 2.X Doug Hughes (Aug 16)
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Brian Perkins (Aug 15)
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Dan Thorson (Aug 15)
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Aleph One (Aug 15)
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Nathan Lawson (Aug 16)
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Patrick Hess (Aug 16)
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Aleph One (Aug 15)
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Scott Chasin (Aug 16)
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Nathan Lawson (Aug 16)
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Darren Reed (Aug 17)
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Casper Dik (Aug 17)
- BUGTRAQ ALERT: Solaris 2.x Arve Kjoelen (Aug 18)
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability System Administrator (Aug 18)
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability David Rukshin (Aug 18)
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Scott Chasin (Aug 18)
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Mark Graff (Aug 18)
- Re: BUGTRAQ ALERT: Solaris 2.x vulnerability Paul Ashton (Aug 18)