Bugtraq mailing list archives
Re: Race condition in "rm -r"
From: abelits () PHOBOS ILLTEL DENVER CO US (Alex Belits)
Date: Sun, 7 May 2000 13:03:28 -0700
On Sat, 6 May 2000, Glynn Clements wrote:
Use a statically-linked "rm" and "chroot /tmp" first.Maybe stat "." after chdir to verify that we ended up the expected place?
More like;y getcwd() will be useful -- there is nothing in stat that can tell us if we followed a link, and inode comparison may be unreliable.
My "rm" (GNU fileutils 4.0) does this: getdents(3, /* 45 entries */, 3933) = 924 lstat("Imakefile", {st_mode=S_IFREG|0644, st_size=2842, ...}) = 0 unlink("Imakefile") = 0 lstat("pixmaps", {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0 chdir("pixmaps") = 0 close(3) = 0 1> open(".", O_RDONLY|O_NONBLOCK) = 3 fcntl(3, F_SETFD, FD_CLOEXEC) = 0 2> fstat(3, {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0 lseek(3, 0, SEEK_CUR) = 0 getdents(3, /* 49 entries */, 3933) = 1112 lstat("about.xpm", {st_mode=S_IFREG|0644, st_size=43055, ...}) = 0 unlink("about.xpm") = 0 lstat("apple.xpm", {st_mode=S_IFREG|0644, st_size=927, ...}) = 0 unlink("apple.xpm") = 0 Any suggestions as to why it is doing the fstat() in (2) if it isn't checking for symlink games? [Note: I'm not saying that it *is* checking, just that it seems odd if it isn't.]
Relevant piece from glibc 2.1.1 opendir() (other libraries probably do something similar): ---8<--- { /* We first have to check whether the name is for a directory. We cannot do this after the open() call since the open/close operation performed on, say, a tape device might have undesirable effects. */ if (__xstat (_STAT_VER, name, &statbuf) < 0) return NULL; if (! S_ISDIR (statbuf.st_mode)) { __set_errno (ENOTDIR); return NULL; } } fd = __open (name, O_RDONLY|O_NDELAY|EXTRA_FLAGS); if (fd < 0) return NULL; /* Now make sure this really is a directory and nothing changed since the `stat' call. */ if (__fstat (fd, &statbuf) < 0) goto lose; if (! S_ISDIR (statbuf.st_mode)) { save_errno = ENOTDIR; goto lose; } if (__fcntl (fd, F_SETFD, FD_CLOEXEC) < 0) goto lose; --->8--- (lines before open() don't exist in your example, however I have left them because otherwise comment for fstat() doesn't make sense). -- Alex ---------------------------------------------------------------------- Excellent.. now give users the option to cut your hair you hippie! -- Anonymous Coward
Current thread:
- Re: Windows NT/95/98/Possible Others Denial of Service Attack. Mi crosoft ODBC Database connectivity flaw. Daniel Docekal (May 01)
- SuSE Security Announcement - aaa_base - UPDATE Marc Heuse (May 02)
- Race condition in "rm -r" Morten Welinder (May 03)
- Re: Race condition in "rm -r" Glynn Clements (May 06)
- Re: Race condition in "rm -r" David Brownlee (May 07)
- Re: Race condition in "rm -r" Glynn Clements (May 07)
- Re: Race condition in "rm -r" David Brownlee (May 08)
- Race condition in "rm -r" Morten Welinder (May 03)
- Re: Race condition in "rm -r" Alex Belits (May 07)
- Re: Race condition in "rm -r" Glynn Clements (May 07)
- SuSE Security Announcement - aaa_base - UPDATE Marc Heuse (May 02)
- Ipchains! Dimuthu Parussalla (May 07)
- Re: Ipchains! Paul D. Carlucci (May 10)
- Prevent Current and Future E-Mail Worms AXENT Security Team (May 12)
- Cisco Security Advisory: Cisco IOS HTTP Server Vulnerability Cisco Systems Product Security Incident Response Team (May 15)
- Contemplations : Melissa, I love you - not! Cerberus Security Team (May 08)
- June 2000 FIRST Conference Reminder Roger Safian (May 08)