Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Xinetd /tmp race?

From: peak () kerberos troja mff cuni cz (Pavel Kankovsky)
Date: Sat, 14 Nov 1998 00:12:53 +0100

On Fri, 13 Nov 1998, Marc Heuse wrote:


+       dump_fd = open( dump_file, O_WRONLY + O_CREAT + O_EXCL, DUMP_FILE_MODE ) ;
+       if ( dump_fd == -1 )
+       {
+               if ( lstat( dump_file, &stat) != 0)
+               {
+                       msg( LOG_ERR, func, "failed to open %s: %m", dump_file ) ;
+                       return ;
+               }
+               if (stat.st_uid != getuid())
+               {
+                       msg( LOG_ERR, func, "security: I'm not owning %s: %m", dump_file ) ;
+                       return ;
+               }
+               dump_fd = open( dump_file, O_WRONLY + O_APPEND) ;
+       }


ln /etc/passwd /tmp/whatever_the_filename_was

I wonder whether my first message suggesting to create a file under a
randomized filename (with mkstemp() for instance) and rename (which
should be safer) ended into Aleph1's /dev/null ;)

   strcpy(tmp_filename, "/path/blahXXXXXX");
   dump_fd = mkstemp(tmp_filename);
   if (dump_fd != -1) {
     if (rename(tmp_filename, real_filename) == -1) {
       save_errno = errno;
       close(dump_fd);  dump_fd = -1;
       unlink(tmp_filename);
       errno = save_errno;
     }
   }

(of course, one must be careful not to introduce a buffer overrun
during tmp_filename construction)

--Pavel Kankovsky aka Peak  [ Boycott Czech Telecom--http://www.bojkot.cz ]
"spt Telecom... ted zdrazujeme zitrek!" [ Engl. lang. info-- .../english/ ]
Previous By Date Next
Previous By Thread Next

Current thread: