mkdir plots (was: mkdir() and security hole)

Maarten Litmaath maart at cs.vu.nl
Fri Dec 23 02:31:13 AEST 1988 

ddl at husc6.harvard.edu (Dan Lanciani) writes:
\In article <10845 at swan.ulowell.edu>, arosen at hawk.ulowell.edu (MFHorn) writes:
\...
\| A couple years ago, I had to fix this bug in one of our systems.  I had
\| source to mkdir.c, but not to the kernel, and was able to successfully
\| close the hole completely.

Really?

\| 
\|   mknod(dirname);       /* Irrelevant arguments omitted */
\|   link(".");
\|   link("..");
\|   chown(dirname);
\| 
\| The real problem is mkdir trusts dirname to be the directory it just
\| created, which is not necessarily the case.  Nicing the process only
\| shrinks the window of vunlerability, but it doesn't close it.
\...
\| The proper fix is to change 'chown(dirname);' to 'chown(".");' and
\| add a chdir(dirname); in the right place (with proper error checking).
\| 
\|   mknod(dirname);
\|   link(".");
\|   link("..");
\|   chdir(dirname);
\|   chown(".");

Consider the following scheme:

	mkdir Xmas
		mknod("Xmas", ...);
		link("Xmas", "Xmas/.");
		link("", "Xmas/..");
		# scheduled out
	rmdir Xmas
	mkdir Xmas
		mknod("Xmas", ...);
		# scheduled out
	cd Xmas
	ln /etc/passwd .
		# now the first mkdir is scheduled back in
		chdir("Xmas");
		chown(".", ...);
		# thanks for the passwdfile!
		# lots of error messages, but who cares!

If John F. Haugh's fix were applied, the scheme above wouldn't work:

		chown("./.", ...);
		# error: "." isn't a directory

... unless "." were a symbolic link to another directory.
However, I think it very improbable that symbolic links exist on systems
WITHOUT the mkdir() system call.
The scheme above makes one important thing clear: to gain complete security
one must reckon with pathological cases.
Two other cookies to be fixed on older systems: mv(1), rmdir(1).
The rename() system call wasn't invented for nothing.
To Dan Lanciani: could you clarify your ideas by giving a mkdir plot example?
-- 
if (fcntl(merry, X_MAS, &a))          |Maarten Litmaath @ VU Amsterdam:
        perror("happy new year!");    |maart at cs.vu.nl, mcvax!botter!maart

More information about the Comp.bugs.sys5 mailing list