mkdir() and security hole

[The Beach Bum]

In article <871 at husc6.harvard.edu> ddl at husc6.harvard.edu (Dan Lanciani) writes:
>	Incidentally, the fix proposed by jfh at rpp386 (using dir/./.
>as the target of the chown()) doesn't help either.  It was a good
>try (and happened to be included in the mkdir test mentioned above)
>but breaks down since link() itself is not atomic.

It is time for this Dan Lanciani person to shut up, or produce proof that
these bug fixes do not work.  I challenge him to produce a test which will
break the mkdir Doug Davis provided with the patch I suggested.  Furthermore,
I am willing to let that test pound on my system for a day or more if needed.
Failing this, I suggest we all add Mr. Laniciani to our official list of
crackpots and throw him in the KILL file.

The basis for my patch is that the link() call is PRIVILEGED.  Since '.'
in the context of the above referenced chown() MUST be a directory, the
bad guy would have to be root.  If Mr. Lanciani is assuming one may
become root to break this program, then all bets are off, since Doug's
entire assumption is based on the bad guy not becoming root.  The bad guy
simply can't create a forged directory structure without first BEING root.
-- 
John F. Haugh II                        +-Quote of the Week:-------------------
VoiceNet: (214) 250-3311   Data: -6272  |"Unix doesn't have bugs,
InterNet: jfh at rpp386.Dallas.TX.US       | Unix is a bug"
UucpNet : <backbone>!killer!rpp386!jfh  +--              -- author forgotten --