Bugtraq mailing list archives
Re: gzip TOCTOU file-permissions vulnerability
From: psz () maths usyd edu au
Date: Thu, 14 Apr 2005 10:29:21 +1000
Joey Hess <joeyh () debian org> wrote:
... really dumb idea to have a group/world-writeable directory without the sticky bit.It may be really dumb, but it's pretty common practice too. ... Just a few examples within the Debian project ...
Kindly add the Debian example: psz@pisa:/usr/local$ ls -ld . drwxrwsr-x 10 root staff 4096 Nov 13 2002 . For Debian this is "mandated by policy":
The Debian Policy Manual [1] says: ... /usr/local take precedence over the equivalents in /usr. ... should have permissions 2775 and be owned by root.staff. but it [2] also says: ... make sure that [it] is secure ... Files should be owned by root.root ... mode 644 or 755. Directories should be mode 755 or 2775 ... owned by the group that needs write access to it. ... References: [1] http://www.debian.org/doc/debian-policy/ch-opersys.html#s9.1.2 [2] http://www.debian.org/doc/debian-policy/ch-files.html#s10.9
(please see http://bugs.debian.org/299007 for more details).
(gzip is not typically ran in any of these directories AFAIK, FWIW).
Typically? Suppose I (as simple user psz) do cd $HOME; touch xyz; chmod 666 xyz; gzip xyz and tell my system manager that I have problems with that gzipped file. While root is running "gunzip ~psz/xyz" I do rm xyz; ln /etc/passwd xyz then we end up with /etc/passwd world-writable. (Bzip uses chown also, so using bzip2/bunzip would get /etc/passwd owned by psz; am not sure about gzip or cpio.) Cheers, Paul Szabo psz () maths usyd edu au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia
Current thread:
- gzip TOCTOU file-permissions vulnerability Imran Ghory (Apr 05)
- Re: gzip TOCTOU file-permissions vulnerability Martin Pitt (Apr 13)
- Re: gzip TOCTOU file-permissions vulnerability Derek Martin (Apr 13)
- Re: gzip TOCTOU file-permissions vulnerability Peter J. Holzer (Apr 13)
- Re: gzip TOCTOU file-permissions vulnerability Joey Hess (Apr 13)
- Re: gzip TOCTOU file-permissions vulnerability psz (Apr 14)
- Re: gzip TOCTOU file-permissions vulnerability Theodor Milkov (Apr 15)
- Re: gzip TOCTOU file-permissions vulnerability Derek Martin (Apr 14)
- <Possible follow-ups>
- RE: gzip TOCTOU file-permissions vulnerability Mark Senior (Apr 14)
- Re: gzip TOCTOU file-permissions vulnerability Derek Martin (Apr 14)
- Re: gzip TOCTOU file-permissions vulnerability devnull (Apr 15)
- Re: gzip TOCTOU file-permissions vulnerability Dmitry Yu. Bolkhovityanov (Apr 16)
- Re: gzip TOCTOU file-permissions vulnerability Peter J. Holzer (Apr 15)
- Re: gzip TOCTOU file-permissions vulnerability Scott Gifford (Apr 15)
- Re: gzip TOCTOU file-permissions vulnerability Steve Grubb (Apr 14)
- Re: gzip TOCTOU file-permissions vulnerability Martin Pitt (Apr 13)