RE: gzip TOCTOU file-permissions vulnerability

["Mark Senior" <Mark.Senior () gov ab ca>]

> From: Derek Martin [mailto:code () pizzashack org] 
> Sent: April 13, 2005 08:50
>
>
> The open() call is at fault here.  If instead of being called 
> with a mode of RW_USER, it is called with the final intended 
> access mode, there is no need to later call chmod(), and the 
> problem is averted.

One wrinkle - if the file is not intended to have user write permission
on it, and gzip (unzip/cpio/pax...) initially created it with the
intended permissions, there would be no way to then write the file.

The problem, to my understanding, is that the program opens the file by
name, then closes it, and then chmod's it, again referring to it by
name.  During which time, as you pointed out, we could be dealing with a
different inode.

If the program kept the file open, and used fchmod to change its
permissions, referring to it by file descriptor, you could be more sure
that it was the same inode it had just been writing to.

Cheers
Mark

---  end of meaningful content, legal bumph follows  ---

This email and any files transmitted with it are confidential and intended solely for the use of the individual or 
entity to whom they are addressed. If you have received this email in error please notify the system manager. This 
message contains confidential information and is intended only for the individual named. If you are not the named 
addressee you should not disseminate, distribute or copy this e-mail.


This email and any files transmitted with it are confidential and intended solely for the use of the individual or 
entity to whom they are addressed. If you have received this email in error please notify the system manager. This 
message contains confidential information and is intended only for the individual named. If you are not the named 
addressee you should not disseminate, distribute or copy this e-mail.