Re: gzip TOCTOU file-permissions vulnerability

["Peter J. Holzer" <hjp () wsr ac at>]

On 2005-04-14 09:27:11 -0600, Mark Senior wrote:
> > From: Derek Martin [mailto:code () pizzashack org] 
> > Sent: April 13, 2005 08:50
> > The open() call is at fault here.  If instead of being called 
> > with a mode of RW_USER, it is called with the final intended 
> > access mode, there is no need to later call chmod(), and the 
> > problem is averted.
>
> One wrinkle - if the file is not intended to have user write permission
> on it, and gzip (unzip/cpio/pax...) initially created it with the
> intended permissions, there would be no way to then write the file.

I don't know about Windows, but on POSIX systems you can create a file
without write permissions and still write to it. 

A small example from the shell:

bernon:~/tmp 12:58 121% umask 0777
bernon:~/tmp 12:58 122% echo foo > bar
bernon:~/tmp 12:58 123% ll bar
----------  1 hjp sysadm 4 Apr 15 12:58 bar

As you can see, the file has no permissions, but still length 4.

This trick is sometimes used for lock files.

        hp


-- 
   _  | Peter J. Holzer \Beta means "we're down to fixing misspelled comments in
|_|_) | Sysadmin WSR     \the source, and you might run into a memory leak if 
| |   | hjp () wsr ac at     \you enable embedded haskell as a loadable module and
__/   | http://www.hjp.at/ \write your plugins upside-down in lisp". --ae () op5 se

Attachment: _bin
Description: