Re: HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail

On Tue, 16 Jan 2007, Pawel Jakub Dawidek wrote:

On Tue, Jan 16, 2007 at 02:42:17PM +1100, Bruce Evans wrote:
install -S ...
... can easily
be made both safer (actually no-clobber) and securer by opening the file
with O_EXCL and exiting if the file exists at the time of the open.
Perhaps cp -f should do the same. (Both have paths where they do a
forced unlink() followed by an open(). This open() can easily use O_EXCL).

Interesting. I was sure it won't work as you described, because the
target file can be a symlink and open(2) by default follows symlinks.
I thought that you just forget about O_NOFOLLOW flag, but it seems, that
with O_EXCL open(2) doesn't follow symlinks so it will work.

I did forget it. I just assumed that doing the same thing as mkstemp()
is as secure as possible, and it is. Old versions of mkstemp() couldn't
use O_NOFOLLOW since O_NOFOLLOW has only existed since Y2K. New
versions don't use it because it is unnecessary. Exclusive access
isn't enough for security since if open() followed a dangling link it
would create a security hole with (O_CREAT | O_EXCL). But there is
no problem since O_EXCL implies not following symlinks even if O_NOFOLLOW
is not supported. This is documented in open(2) and better documented
in POSIX.

Bruce
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"