Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10 /tmp/.lsof_dev_cache

[mouse () Collatz McRCIM McGill EDU (der Mouse)]

> If I left the impression that I was confident this isn't a potential
> security hazard, I was foolish.  I worried about it when I installed
> the feature, I was worried enough about it to accompany it with
> documentation, and I'm still worried about it.  However, in my
> opinion the performance payoff is just too great to ignore having
> this feature.  I've tried as hard as I know to make it as safe as
> possible.

Well, I think I would prefer one file per invoking UID, mode 600 owned
by that user, and when opening it you should be very paranoid.
Something like:

        - lstat() it
        - if it's nonexistent
                - open with O_EXCL|O_CREAT
                - fstat() the fd
                - lstat() it again
                - make sure the two stat structures agree, and that the
                   lstat() didn't indicate a symlink
        - else, it exists, so
                - make sure it's not a symlink, expected owner and mode
                - open without O_EXCL or O_CREAT
                - if the open failed with ENOENT, go back to the top
                   (perhaps put a (small) retry count limit on this?)
                - fstat() the fd
                - make sure it matches the first lstat()

Of course, this should all be done after permanently discarding all
privilege (which should have been done very early in startup, right
after opening /dev/kmem and whatever else is needed).

I think the running-as-root case is important enough, and root needs an
especially trustworthy lsof enough, that even if all other users share
a cache file, root should have its own, and it should be mode 600.

Of course, that's just my opinion.  And I don't have patches to back it
up, so to speak....

                                        der Mouse

                            mouse () collatz mcrcim mcgill edu