Re: access() is a security hole?

From: David Schultz (dschultz@uclink.Berkeley.EDU)
Date: 10/12/02

Next message: Maildrop: "monitor ALL connections to ALL ports"
Previous message: Don Lewis: "Re: access() is a security hole?"
In reply to: Don Lewis: "Re: access() is a security hole?"
Next in thread: Bruce Evans: "Re: access() is a security hole?"
Reply: Bruce Evans: "Re: access() is a security hole?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 11 Oct 2002 20:11:20 -0700
From: David Schultz <dschultz@uclink.Berkeley.EDU>
To: Don Lewis <dl-freebsd@catspoiler.org>

Thus spake Don Lewis <dl-freebsd@catspoiler.org>:
> > It's not at all clear how to solve this in userland. In the absence
> > of symlinks, you can parse the pathname, using open(),fstat(),fchdir()
> > to securely get to the final pathname component. Unfortunately,
> > there's no way to securely do this and handle symlinks (because you
> > have to use lstat() to detect a symlink and there is a gap between
> > the lstat() and subsequent open().
>
> It's worse than that because you can run into the same problems with
> trying to verify the directory permissions before doing mkdir(),
> rmdir(), link(), symlink(), etc.

In addition to what has already been mentioned, consider what
happens when someone creates a symlink to a tape drive. Just the
act of opening the device may have actions associated with it.
Really, there ought to be a version of the open syscall that takes
an argument specifying the credentials to use for the call, but
instead we're stuck with the lovely setuid suite of functions.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Next message: Maildrop: "monitor ALL connections to ALL ports"
Previous message: Don Lewis: "Re: access() is a security hole?"
In reply to: Don Lewis: "Re: access() is a security hole?"
Next in thread: Bruce Evans: "Re: access() is a security hole?"
Reply: Bruce Evans: "Re: access() is a security hole?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: rm(1) bug, possibly serious
... mail about why this is bogus.) ... Pathname resolution and a similarly ... This doesn't mean the operand mangled by ... removing the directory pointed to by the symlink and all its contents, ...
(freebsd-stable)
Re: ls
... end in a symlink that refers to a directory. ... pathname must match a directory. ... If a symbolic link is encountered during pathname resolution, ... a trailing slash forces symlinks to ...
(comp.unix.shell)
Re: tmpfile alternative
... assuming that an attacker can exhaust the ... The unpredictability of the filename is only one part of a solution. ... You should still use lstat/fstat checks to guard against symlink ... Call lstat() on the selected filename. ...
(SecProg)
Re: efficiency of fstat calls?
... > files' directory paths? ... For lstat(), how many symbolic ... point directly to a regular file (rather than to another symlink). ... Do these issues affect the lookup time the stat call would need to find ...
(comp.unix.programmer)
Re: lstat/stat behaviour on symlink to "pipe"
... A segmentation fault from lstat shouldn't be possible ... be a symlink, ... > against it while scanning a directory? ... ignore anything but regular files and directories. ...
(comp.os.linux.development.system)