Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Symlinks and Cryogenic Sleep

From: mouse () RODENTS MONTREAL QC CA (der Mouse)
Date: Mon, 3 Jan 2000 21:04:27 -0500


[symlink-paranoia code]



However, consider an average setuid root application, [...].  When
the application reaches the critical section of code between the
lstat and the open, you stop it by sending it a SIGSTOP.


If you can send it a SIGSTOP, either you're running as root (in which
case you don't *need* to play with symlink races), the application is
running as you (in which case breaking it buys you nothing), or signal
delivery is critically broken.

In fact, I suspect that any process you can SIGSTOP, you can attach to
with ptrace and do whatever you want without need for subtrefuge.


      --for instance a lookup of /tmp/foo (as done by lstat()) will
      change the directory's atime.


"That turns out not to be the case."  Or at least, you can't count on
it:

[Sparkle] 115> ls -ldu /tmp
drwxrwxrwt 24 root         2560 Jan  2 21:15 /tmp
[Sparkle] 116> date
Mon Jan  3 23:15:27 EST 2000
[Sparkle] 117> ls -ld /tmp/foobar
/tmp/foobar not found
[Sparkle] 118> ls -ldu /tmp
drwxrwxrwt 24 root         2560 Jan  2 21:15 /tmp
[Sparkle] 119>

                                        der Mouse

                               mouse () rodents montreal qc ca
                     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B
Previous By Date Next
Previous By Thread Next

Current thread: