oss-sec mailing list archives
Re: Suid mount helpers fail to anticipate RLIMIT_FSIZE
From: Tomas Hoger <thoger () redhat com>
Date: Wed, 27 Apr 2011 16:56:43 +0200
On Tue, 15 Mar 2011 09:13:00 -0400 Dan Rosenberg wrote:
util-linux mount ============= * Edits /etc/mtab.tmp with custom my_addmntent(), behaves identically to glibc addmntent() in terms of return code * Succeeds on partial writes, does not remove temp file on failure (could result in additional corruption of /etc/mtab through multiple invocations), does not remove lock file /etc/mtab~ on failure (also an issue)
Dan, would you mind clarifying the way to achieve mtab corruption via truncated left-over mtab.tmp file and multiple invocations? After some discussion with our util-linux maintainer, we fail to see an obvious way. util-linux opens mtab.tmp using "w" fopen open, i.e. using O_TRUNC open flag. So if there's any mtab.tmp file found, it's overwritten and its existence does not block further use of mount / umount as existence of mtab~ lock file does. Thank you! -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- Re: Suid mount helpers fail to anticipate RLIMIT_FSIZE Ludwig Nussel (Apr 01)
- <Possible follow-ups>
- Re: Suid mount helpers fail to anticipate RLIMIT_FSIZE Tomas Hoger (Apr 27)
- Re: Suid mount helpers fail to anticipate RLIMIT_FSIZE Dan Rosenberg (Apr 27)
- Re: Suid mount helpers fail to anticipate RLIMIT_FSIZE Tomas Hoger (Apr 27)
- Re: Suid mount helpers fail to anticipate RLIMIT_FSIZE Dan Rosenberg (Apr 27)
- Re: Suid mount helpers fail to anticipate RLIMIT_FSIZE Tomas Hoger (Apr 27)
- Re: Suid mount helpers fail to anticipate RLIMIT_FSIZE Dan Rosenberg (Apr 27)