Bugtraq mailing list archives

Re: [linux-security] Things NOT to put in root's crontab

From: S.Vickery () its gu edu au (Sean Vickery)
Date: Thu, 23 May 1996 13:47:23 +1000


On 22 May 1996, Philip Guenther wrote:

The race condition in find should be eliminatible by using fchdir()
and passing the '-exec'ed command a simple filename.  You have to keep
open one descriptor for each level descended which should max out at
MAXPATHLEN/2.  That should be within the bounds of modern UNIX systems.


Yes, the race condition in find can be eliminated, but your pseudocode
does not do it.

cur = open argv[1];
fchdir(cur);
do_dir(cur);

do_dir(int cur) {
    foreach file in "." {
        int fd = open file;
        do_stuff_from_command_line;
        if ISDIR(fstat fd) {
            fchdir(fd);
            do_dir(fd);
            fchdir(cur);
        }
    }
}


The problem is with

    int fd = open file;

How can you be sure that you're not opening a symlink?  When you fstat
it later it will certainly not be a symlink.

Here's a bit of perl I wrote earlier today which does eliminate the race
condition:

    #!/opt/bin/perl
    require 'sys/syscall.ph';
    require 'stat.pl';
    open(DIR, "<$ARGV[0]") || die "can't open $ARGV[0]: $!";
    ($dev1, $ino1) = (stat DIR)[$ST_DEV, $ST_INO];
    #sleep 20;
    ($dev2, $ino2) = (lstat $ARGV[0])[$ST_DEV, $ST_INO];
    if ($dev2 != $dev1 || $ino2 != $ino1) {
        print "lost race!\n";
    }
    elsif (-l _)
    {
        print "is a symlink\n";
    }
    else {
        syscall(&SYS_fchdir, fileno(DIR)) == 0 || die "can't fchdir: $!";
        print "chdir suceeded\n";
        system "/bin/pwd";
    }

The script opens a handle to the directory and notes its device and inode.
It then lstats the directory name, and checks that it hasn't been fooled
into opening a symlink.

The commented out `sleep 20;' line gave me enough time to replace a
directory with a symlink to /etc.

It would be nice if one could call fchdir(2) directly from perl, without
having to go through syscall().

Sean.
--
Sean Vickery <S.Vickery () its gu edu au>   Ph: +61 (0)7 3875 6410
Systems Programmer   Information Services   Griffith University

Current thread:

Re: [linux-security] Things NOT to put in root's crontab Christopher D. McCann (May 22)
- <Possible follow-ups>
- Re: [linux-security] Things NOT to put in root's crontab William McVey (May 22)
  - Re: [linux-security] Things NOT to put in root's crontab Philip Guenther (May 22)
    - Re: [linux-security] Things NOT to put in root's crontab Sean Vickery (May 22)
    - Re: [linux-security] Things NOT to put in root's crontab Philip Guenther (May 22)
    - Re: [linux-security] Things NOT to put in root's crontab Colin Jenkins (May 23)
    - Re: [linux-security] Things NOT to put in root's crontab Philip Guenther (May 23)
    - Re: [linux-security] Things NOT to put in root's crontab Colin Jenkins (May 24)
    - Re: [linux-security] Things NOT to put in root's crontab Aidas Kasparas (May 26)
    - Re: [linux-security] Things NOT to put in root's crontab Zygo Blaxell (May 23)
- Re: [linux-security] Things NOT to put in root's crontab der Mouse (May 22)
- Re: [linux-security] Things NOT to put in root's crontab Ken Descoteaux (May 22)
- Re: [linux-security] Things NOT to put in root's crontab Paul Szabo (May 26)