Re: Publically writable directories

[Valdis.Kletnieks () vt edu (Valdis.Kletnieks () vt edu)]

--===_-1_Mon_Jun_17_11:34:18_EDT_1996
Content-Type: text/plain; charset=us-ascii

On Sun, 16 Jun 1996 18:30:50 +0200, you said:
> Is there a safe way of opening a temporary file in a publically writable
> directory as a normal user, given a system with symbolic links?
> I'm even willing to assume a sticky bit on the directory.
>
> Main problem: How do I disallow a malicious
>
> $ ln -s /tmp/some.file $MYHOME/.somedotfile
>
> at the wrong times, without getting into race conditions?

I'm not sure which you are asking for.

Is it "how does a set-UID program properly test that $MYHOME/.somedotfile
is in fact owned by the right user, and not a link to something it shouldnt be"

or are you asking "If $MYHOME is world-writeable, how do I prevent people
from putting in malicious symlinks?".

If it is the latter, note that symlinks aren't needed - you can just 'cp' in
whatever malicious .somedotfile you want. You have bigger problems than
symlinks ;)

If it is the former, I'd say it is the program's responsibility to verify
the contents of a .dotfile.  Personally, I usually open() the file, then
fstat() the file descriptor, and verify that what I opened was what I wanted
to open (check ownerships, permissions, major/minor/inode numbers, etc).

And then of course sanity-check the contents as appropriate for the program.
--
                                Valdis Kletnieks
                                Computer Systems Engineer
                                Virginia Tech



--===_-1_Mon_Jun_17_11:34:18_EDT_1996
Content-Type: application/pgp-signature

-----BEGIN PGP MESSAGE-----
Version: 2.6.1

iQCVAwUBMcV6+dQBOOoptg9JAQH6xwP+OtfETTpg4RJ3oXLoz3vl7vSuNjRUHCAe
mdNeDshwmrc+gGc79rtuEb43c4Emix5B6gTmlDm+coCRrsaw0Ir4jhSJjniy57dA
4SkTUbbU6i8C5OW3elhkKhvsc5xU0N4ZWu8uGGhgFVM6GGGvVd2ekU8+4lZM1EuP
YpyLuIYo4NM=
=dE/3
-----END PGP MESSAGE-----

--===_-1_Mon_Jun_17_11:34:18_EDT_1996--