mkdir() and security hole ***** ONE-LINE FIX !! ****

[Larry Blair]

In article <871 at husc6.harvard.edu> ddl at husc6.harvard.edu (Dan Lanciani) writes:
=In article <379 at skep2.ATT.COM>, wcs at skep2.ATT.COM (Bill.Stewart.[ho95c]) writes:
=| nice(-255);	/* always win race condition  - fixes security bug */
=| 		/* nice(-255) is not very nice, but root has its privileges */
=| 		/* works with official mkdir and Doug's */
=| 
=	Unfortunately, this analysis is incorrect.  The real window
=occurs while the mkdir process is blocked on disk I/O to, e.g., look
=up elements of the path name of the file to chown().

I don't what version of Unix you run, but I don't know of one that would
do ANY disk I/O for the chown, since the mknod would have brought all of
the elements into core and, being -255, no one else could have caused the
kernel to de-cache the inodes and buffers.  I'm also pretty sure that there
is no danger in this case of losing the CPU due to timeout.  I'm sure that
some kernel hacker can tell us whether nice(-255) can be preempted.
-- 
Larry Blair   ames!vsi1!lmb   lmb at vicom.com