Bugtraq mailing list archives

Re: Publically writable directories

From: wfp5p () tigger itc virginia edu (Bill Pemberton)
Date: Mon, 17 Jun 1996 09:06:09 -0400


Thomas Koenig writes:


Is there a safe way of opening a temporary file in a publically writable
directory as a normal user, given a system with symbolic links?
I'm even willing to assume a sticky bit on the directory.

Main problem: How do I disallow a malicious

$ ln -s /tmp/some.file $MYHOME/.somedotfile

at the wrong times, without getting into race conditions?


You need to open it like so:

fp_handle = open(fname, O_RDWR|O_CREAT|O_EXCL,0600)


The open() call does not follow symlinks.

--
Bill Pemberton                           wfp5p () virginia edu
ITC/Unix Systems                         flash () virginia edu
University of Virginia                   uunet!virginia!wfp5p

Current thread:

[linux-security] Big security hole in kerneld's request_route Igor Chudov @ home (Jun 13)
- system() call in suid programs Not Joe (Jan 03)
  - Re: system() call in suid programs Valdis.Kletnieks () vt edu (Jun 14)
    - Re: system() call in suid programs Max Hailperin (Jun 14)
    - Publically writable directories Thomas Koenig (Jun 16)
    - Re: Publically writable directories Neil Soveran-Charley (Jun 16)
    - Re: Publically writable directories Brian Mitchell (Jun 17)
    - Re: Publically writable directories Thomas Koenig (Jun 18)
    - Re: Publically writable directories Bill Pemberton (Jun 18)
    - Re: Publically writable directories Thomas Koenig (Jun 18)
    - Re: Publically writable directories Bill Pemberton (Jun 17)
    - Re: Publically writable directories David DeSimone (Jun 17)
    - Re: Publically writable directories Valdis.Kletnieks () vt edu (Jun 17)
    - Re: Publically writable directories Michael Dilger (Jun 17)
  - Re: system() call in suid programs Kari E. Hurtta (Jun 14)
- [linux-security] Re: Big security hole in kerneld's request_route Jacques Gelinas (Jun 13)