Re: gzip TOCTOU file-permissions vulnerability

devnull_at_Rodents.Montreal.QC.CA
Date: 04/15/05

  • Next message: Sune Kloppenborg Jeppesen: "[ GLSA 200504-14 ] monkeyd: Multiple vulnerabilities" 
    Date: Thu, 14 Apr 2005 22:35:52 -0400 (EDT)
To: bugtraq@securityfocus.com

    [As usual when I write to bugtraq, the From: header address is a
    blackhole address, a broken-autoresponder defense. Use the signature
    address to reach me.]

    >> The open() call is at fault here. If instead of being called with a
    >> mode of RW_USER, it is called with the final intended access mode,
    >> there is no need to later call chmod(), and the problem is averted.
    > One wrinkle - if the file is not intended to have user write
    > permission on it, and gzip (unzip/cpio/pax...) initially created it
    > with the intended permissions, there would be no way to then write
    > the file.

    This is not how most Unix variants work: provided you have an
    open-for-write descriptor on a file, you can write to it as long as the
    descriptor survives even if the file's permissions deny you write
    access.

    In particular, creating a file for write with a mode forbidding writing
    is not at all impossible.

    Now, if you're not on a Unix variant, or for all I know even some of
    the more variant Unix variants, this may not be true. But it certainly
    is common for this to work fine. Indeed, it's arguably better because
    it helps prevent others from writing to the file by mistake even during
    a brief time between open()ing and fchmod()ing.

    /~\ The ASCII der Mouse
    \ / Ribbon Campaign
     X Against HTML mouse@rodents.montreal.qc.ca
    / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B

  • Next message: Sune Kloppenborg Jeppesen: "[ GLSA 200504-14 ] monkeyd: Multiple vulnerabilities"