mkdir plots (was: mkdir() and security hole)
Maarten Litmaath
maart at cs.vu.nl
Fri Dec 23 02:31:13 AEST 1988
ddl at husc6.harvard.edu (Dan Lanciani) writes:
\In article <10845 at swan.ulowell.edu>, arosen at hawk.ulowell.edu (MFHorn) writes:
\...
\| A couple years ago, I had to fix this bug in one of our systems. I had
\| source to mkdir.c, but not to the kernel, and was able to successfully
\| close the hole completely.
Really?
\|
\| mknod(dirname); /* Irrelevant arguments omitted */
\| link(".");
\| link("..");
\| chown(dirname);
\|
\| The real problem is mkdir trusts dirname to be the directory it just
\| created, which is not necessarily the case. Nicing the process only
\| shrinks the window of vunlerability, but it doesn't close it.
\...
\| The proper fix is to change 'chown(dirname);' to 'chown(".");' and
\| add a chdir(dirname); in the right place (with proper error checking).
\|
\| mknod(dirname);
\| link(".");
\| link("..");
\| chdir(dirname);
\| chown(".");
Consider the following scheme:
mkdir Xmas
mknod("Xmas", ...);
link("Xmas", "Xmas/.");
link("", "Xmas/..");
# scheduled out
rmdir Xmas
mkdir Xmas
mknod("Xmas", ...);
# scheduled out
cd Xmas
ln /etc/passwd .
# now the first mkdir is scheduled back in
chdir("Xmas");
chown(".", ...);
# thanks for the passwdfile!
# lots of error messages, but who cares!
If John F. Haugh's fix were applied, the scheme above wouldn't work:
chown("./.", ...);
# error: "." isn't a directory
... unless "." were a symbolic link to another directory.
However, I think it very improbable that symbolic links exist on systems
WITHOUT the mkdir() system call.
The scheme above makes one important thing clear: to gain complete security
one must reckon with pathological cases.
Two other cookies to be fixed on older systems: mv(1), rmdir(1).
The rename() system call wasn't invented for nothing.
To Dan Lanciani: could you clarify your ideas by giving a mkdir plot example?
--
if (fcntl(merry, X_MAS, &a)) |Maarten Litmaath @ VU Amsterdam:
perror("happy new year!"); |maart at cs.vu.nl, mcvax!botter!maart
More information about the Comp.bugs.sys5
mailing list