mkdir() and security hole ***** ONE-LINE FIX !! ****
The Beach Bum
jfh at rpp386.Dallas.TX.US
Thu Dec 22 16:12:36 AEST 1988
In article <379 at skep2.ATT.COM> wcs at skep2.UUCP (46323-Bill.Stewart.[ho95c],2G218,x0705,) writes:
>nice(-255); /* always win race condition - fixes security bug */
> /* nice(-255) is not very nice, but root has its privileges */
> /* works with official mkdir and Doug's */
Nope, this fails. Consider - nice() does not insure you are always first,
it only insures that you are preferred. After some period of execution,
the priority of the process will drop low enough for the user to slip
in. Instead of doing a single directory per mkdir, stuff the command line
FULL of directories.
Also, the lowest NICE is 0. The default NICE is 20. This only means
that proc.p_cpu for your mkdir process needs to be 20 more than p_cpu for
the bad guys process. One full second of execution should do this. Once
that is accomplished, the bad guy should be able to slip in between. A
C program may be needed to get the timing information correct, but it
should be VERY possible.
--
John F. Haugh II +-Quote of the Week:-------------------
VoiceNet: (214) 250-3311 Data: -6272 |"Unix doesn't have bugs,
InterNet: jfh at rpp386.Dallas.TX.US | Unix is a bug"
UucpNet : <backbone>!killer!rpp386!jfh +-- -- author forgotten --
More information about the Comp.bugs.sys5
mailing list