Bugtraq mailing list archives

Re: Symlinks and Cryogenic Sleep

From: mikael.olsson () ENTERNET SE (Mikael Olsson)
Date: Wed, 5 Jan 2000 09:34:01 +0100


I think I see a flaw with this...

Goetz Babin-Ebell wrote:


I did something that way:

FILE *DoOpen(const char *cpFile, long bAppend)
{
   FILE *spNew;
   FILE *spTest;
   struct stat sStat;

   spTest = fopen(cpFile,"a");
   if (!spTest)
   {
      Log("ERR FILE OPEN",cpFile);
      return NULL;
   }
   if (lstat(cpFile,&sStat))
   {
      Log("ERR STAT",cpFile);
      return NULL;
   }
   if ((sStat.st_mode & S_IFMT) == S_IFLNK)
   {
      fclose(spTest);
      Log("ERR ISLINK",cpFile);
      return NULL;
   }
   if (bAppend)
      spNew = spTest;
   else
   {
      spNew = freopen(cpFile,"w",spTest);
      fclose(spTest);
   }
   if (!spNew)
   {
      Log("ERR FILE OPEN",cpFile);
      return NULL;
   }
   return spFile;
}


In my tired state, I get the feeling that you open
yourself up to an inverted race situation here.

In this situation, the file that you open may
be a link, but before it is stat()ed, it may
be deleted (yes you can do this even though
it is open) and replaced with a normal file,
so that stat() won't complain.

I'd suggest that you don't stat the file by
name, but rather by the file descriptor that
you already have (_fstat()?); this way you know
that you are stat()ing the same file that you
actually opened (I hope!).

Oh, and the freopen() call opens you up to
another race situation (I think).
AFAIK, freopen() is just a shorthand for
fclose() followed by fopen(), so that leaves
room for a race situation.
(I might be talking out of my arse here tho)
If it were me, I'd move the file pointer to 0
and set the file length to 0; this way the file
remains open all the time, and you still get the
desired effect.

<flame shield>
I'm _REALLY_ tired
Just so you know :-)
</flame shield>

/Mike

--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46-(0)660-105 50           Fax: +46-(0)660-122 50
Mobile: +46-(0)70-248 00 33
WWW: http://www.enternet.se        E-mail: mikael.olsson () enternet se

Current thread:

Symlinks and Cryogenic Sleep Olaf Kirch (Jan 03)
- Re: Symlinks and Cryogenic Sleep Mark A. Heilpern (Jan 03)
  - Re: Symlinks and Cryogenic Sleep Casper Dik (Jan 04)
  - Re: Symlinks and Cryogenic Sleep Olaf Kirch (Jan 04)
  - Re: Symlinks and Cryogenic Sleep Henrik Nordstrom (Jan 04)
- First Telecom E-conso service totally insecure Thomas Quinot (Jan 03)
- Re: Symlinks and Cryogenic Sleep Goetz Babin-Ebell (Jan 04)
  - Re: Symlinks and Cryogenic Sleep pedward () WEBCOM COM (Jan 04)
  - Re: Symlinks and Cryogenic Sleep Christos Zoulas (Jan 04)
  - Re: Symlinks and Cryogenic Sleep Mikael Olsson (Jan 05)
  - Re: Symlinks and Cryogenic Sleep Marc Heuse (Jan 05)
- Re: Symlinks and Cryogenic Sleep Wietse Venema (Jan 04)
- Re: Symlinks and Cryogenic Sleep Pavel Machek (Jan 04)
- Security problem with Solstice Backup/Legato Networker recover command Chris Siebenmann (Jan 04)
- Local / Remote D.o.S Attack in IMail IMONITOR Server for WinNT Version 5.08 Ussr Labs (Jan 05)
- Re: Symlinks and Cryogenic Sleep Pavel Kankovsky (Jan 05)
- [RHSA-2000:002] New lpr packages available Bill Nottingham (Jan 07)
- <Possible follow-ups>
- Re: Symlinks and Cryogenic Sleep der Mouse (Jan 03)
- Re: Symlinks and Cryogenic Sleep Marc Heuse (Jan 04)
- Re: Symlinks and Cryogenic Sleep John Cochran (Jan 04)

(Thread continues...)