Bugtraq mailing list archives

Re: Symlinks and Cryogenic Sleep

From: ant () NOTATLA DEMON CO UK (Antonomasia)
Date: Tue, 4 Jan 2000 22:32:16 GMT


Olaf Kirch asked about checking files when you reopen them and
questioned the usefulness of

      if (lstat(fname, &stb1) >= 0 && S_ISREG(stb1.st_mode)) {
              fd = open(fname, O_RDWR);
              if (fd < 0 || fstat(fd, &stb2) < 0
               || ino_or_dev_mismatch(&stb1, &stb2))
                      raise_big_stink()
      } else {
              /* do the O_EXCL thing */
      }


Mark A. Heilpern" <heilpern () MINDSPRING COM> and
der Mouse <mouse () RODENTS MONTREAL QC CA> maintain that mortals can only
send a SIGSTOP to their own processes.

When I send a SIGSTOP to a passwd process (uid=me,euid=0) I get:

linux 2.0.36:  stopped
linux 2.2.12:  stopped
OpenBSD 2.5:   stopped

No doubt Olaf selected SIGSTOP in his example because it cannot be handled.

Goetz Babin-Ebell <babinebell () TRUSTCENTER DE> provided some code which
I've not tested but looks as if it will leak open files and will
call fopen(cpFile,"a"); first and lstat() afterwards.  This could lead
to the creation of unintended files at the symlink target.  Only comparison
to S_IFLNK is done, leaving named pipes in the running.
It might also be raced either side of the lstat() call.  fstat() is not used.

While I'm on this I'll mention a code scanner I wrote last year for checking
file races.  It follows a description of an unpublished scanner by Matt Bishop
and Michael Dilger and is demonstrated on sendmail-8.6.10.  In Perl.
http://www.notatla.demon.co.uk/SOFTWARE/SCANNER/scanner-1.0b.tar.gz

Olaf's suggested function ino_or_dev_mismatch(&stb1, &stb2) could be
extended to check the file's owner and group remain unchanged.  This
means even if a file is switched the attacker gains nothing - he has
to replace it with an equivalent file.

--
##############################################################
# Antonomasia   ant () notatla demon co uk                      #
# See http://www.notatla.demon.co.uk/                        #
##############################################################

Current thread:

Re: Symlinks and Cryogenic Sleep, (continued)
- - Re: Symlinks and Cryogenic Sleep Marc Heuse (Jan 05)
- Re: Symlinks and Cryogenic Sleep Wietse Venema (Jan 04)
- Re: Symlinks and Cryogenic Sleep Pavel Machek (Jan 04)
- Security problem with Solstice Backup/Legato Networker recover command Chris Siebenmann (Jan 04)
- Local / Remote D.o.S Attack in IMail IMONITOR Server for WinNT Version 5.08 Ussr Labs (Jan 05)
- Re: Symlinks and Cryogenic Sleep Pavel Kankovsky (Jan 05)
- [RHSA-2000:002] New lpr packages available Bill Nottingham (Jan 07)
- Re: Symlinks and Cryogenic Sleep der Mouse (Jan 03)
- Re: Symlinks and Cryogenic Sleep Marc Heuse (Jan 04)
- Re: Symlinks and Cryogenic Sleep John Cochran (Jan 04)
- Re: Symlinks and Cryogenic Sleep Antonomasia (Jan 04)
- Re: Symlinks and Cryogenic Sleep Antonomasia (Jan 05)