RE: gzip TOCTOU file-permissions vulnerability
From: Mark Senior (Mark.Senior_at_gov.ab.ca)
Date: 04/14/05
- Previous message: Derek Martin: "Re: gzip TOCTOU file-permissions vulnerability"
- Maybe in reply to: Imran Ghory: "gzip TOCTOU file-permissions vulnerability"
- Next in thread: Derek Martin: "Re: gzip TOCTOU file-permissions vulnerability"
- Reply: Derek Martin: "Re: gzip TOCTOU file-permissions vulnerability"
- Reply: devnull_at_Rodents.Montreal.QC.CA: "Re: gzip TOCTOU file-permissions vulnerability"
- Reply: Peter J. Holzer: "Re: gzip TOCTOU file-permissions vulnerability"
- Reply: Scott Gifford: "Re: gzip TOCTOU file-permissions vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 14 Apr 2005 09:27:11 -0600 To: "Derek Martin" <code@pizzashack.org>, <bugtraq@securityfocus.com>
> From: Derek Martin [mailto:code@pizzashack.org]
> Sent: April 13, 2005 08:50
>
>
> The open() call is at fault here. If instead of being called
> with a mode of RW_USER, it is called with the final intended
> access mode, there is no need to later call chmod(), and the
> problem is averted.
One wrinkle - if the file is not intended to have user write permission
on it, and gzip (unzip/cpio/pax...) initially created it with the
intended permissions, there would be no way to then write the file.
The problem, to my understanding, is that the program opens the file by
name, then closes it, and then chmod's it, again referring to it by
name. During which time, as you pointed out, we could be dealing with a
different inode.
If the program kept the file open, and used fchmod to change its
permissions, referring to it by file descriptor, you could be more sure
that it was the same inode it had just been writing to.
Cheers
Mark
--- end of meaningful content, legal bumph follows ---
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
- Previous message: Derek Martin: "Re: gzip TOCTOU file-permissions vulnerability"
- Maybe in reply to: Imran Ghory: "gzip TOCTOU file-permissions vulnerability"
- Next in thread: Derek Martin: "Re: gzip TOCTOU file-permissions vulnerability"
- Reply: Derek Martin: "Re: gzip TOCTOU file-permissions vulnerability"
- Reply: devnull_at_Rodents.Montreal.QC.CA: "Re: gzip TOCTOU file-permissions vulnerability"
- Reply: Peter J. Holzer: "Re: gzip TOCTOU file-permissions vulnerability"
- Reply: Scott Gifford: "Re: gzip TOCTOU file-permissions vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
