Re: Publically writable directories

[jim () california sandia gov (Jim Hutchins)]

> Is there a safe way of opening a temporary file in a publically writable
> directory as a normal user, given a system with symbolic links?
> I'm even willing to assume a sticky bit on the directory.
>
> Main problem: How do I disallow a malicious
>
> $ ln -s /tmp/some.file $MYHOME/.somedotfile
>
> at the wrong times, without getting into race conditions?

After thinking about this and watching some of the replies, I believe
the absolute answer is no, you cannot avoid a race condition on all
platforms.  open(2) will follow a symbolic link on the platforms I
tried, with or without O_EXCL.  Depending on what you are trying to
do, a couple possible solutions are:

1) Open the file with O_EXCL, then do an fstat, stat, and lstat and
see if they all point to the same file (what to do if they don't is
a different question).  You would also want to check the link count
and make sure it is one.  Problems with this approach have already
been discussed in the mailing list.

2) Open a file with a random name then rename it to the filename
you want.  On the systems I just tried, rename does not follow
symbolic links.  Some potential problems here are random names are
harder to guess, though not impossible (depends on how you generate
them:) , and rename may follow a symbolic link on some OS versions.
Another problem is in a world-writeable directory, the file is
visible before being renamed, so if no sticky bit is available, this
is also open to a race condition.

3) Create a suid utility to do it for you.  It should be possible to
do this securely using a pre-existing sub-directory.


Jim Hutchins
Sandia National Labs, California

----------------------------------------------------------------
James A. Hutchins                 Phone:     1-510-294-2416
Sandia National Laboratories      FAX:       1-510-294-1225
P.O. Box 969,  MS9011             EMail:     jim () ca sandia gov
Livermore, CA  94551-0969