Bugtraq mailing list archives
Re: gzip TOCTOU file-permissions vulnerability
From: Scott Gifford <sgifford () suspectclass com>
Date: Fri, 15 Apr 2005 01:33:12 -0400
"Mark Senior" <Mark.Senior () gov ab ca> writes:
From: Derek Martin [mailto:code () pizzashack org] Sent: April 13, 2005 08:50 The open() call is at fault here. If instead of being called with a mode of RW_USER, it is called with the final intended access mode, there is no need to later call chmod(), and the problem is averted.One wrinkle - if the file is not intended to have user write permission on it, and gzip (unzip/cpio/pax...) initially created it with the intended permissions, there would be no way to then write the file.
In a quick test, this seems not to be true, at least on my Linux system. It may be true over NFS. [gifford@gifford tmp]$ ls -ld testfile ls: testfile: No such file or directory [gifford@gifford tmp]$ cat t.c #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> void die(char *msg) { perror(msg); exit(1); } int main() { int fd; if ((fd = open("testfile",O_CREAT|O_WRONLY,0)) < 0) die("open failed"); if (write(fd,"output\n",7) < 0) die("write failed"); if (close(fd) < 0) die("close failed"); return 0; } [gifford@gifford tmp]$ gcc -Wall t.c [gifford@gifford tmp]$ ./a.out [gifford@gifford tmp]$ ls -ld testfile ---------- 1 gifford gifford 7 Apr 15 01:28 testfile [gifford@gifford tmp]$ chmod +r testfile [gifford@gifford tmp]$ cat testfile output [gifford@gifford tmp]$ ----ScottG.
Current thread:
- Re: gzip TOCTOU file-permissions vulnerability, (continued)
- Re: gzip TOCTOU file-permissions vulnerability Peter J. Holzer (Apr 13)
- Re: gzip TOCTOU file-permissions vulnerability Joey Hess (Apr 13)
- Re: gzip TOCTOU file-permissions vulnerability psz (Apr 14)
- Re: gzip TOCTOU file-permissions vulnerability Theodor Milkov (Apr 15)
- Re: gzip TOCTOU file-permissions vulnerability Derek Martin (Apr 14)
- RE: gzip TOCTOU file-permissions vulnerability Mark Senior (Apr 14)
- Re: gzip TOCTOU file-permissions vulnerability Derek Martin (Apr 14)
- Re: gzip TOCTOU file-permissions vulnerability devnull (Apr 15)
- Re: gzip TOCTOU file-permissions vulnerability Dmitry Yu. Bolkhovityanov (Apr 16)
- Re: gzip TOCTOU file-permissions vulnerability Peter J. Holzer (Apr 15)
- Re: gzip TOCTOU file-permissions vulnerability Scott Gifford (Apr 15)
- Re: gzip TOCTOU file-permissions vulnerability Steve Grubb (Apr 14)