Re: Xinetd /tmp race?

From: Glynn Clements (glynnat_private)
Date: Wed Nov 11 1998 - 12:00:46 PST

Next message: Ben Laurie: "SCO World Script Vulnerabilities"

Previous message: Wietse Venema: "Re: tcpd -DPARANOID doesn't work, and never did"
Maybe in reply to: Balazs Nagy: "Xinetd /tmp race?"
Next in thread: Jesús Cea Avión: "Re: Xinetd /tmp race?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Balazs Nagy wrote:

> If you send SIGHUP to xinetd, you get a dump file to /tmp/xinetd.dump, but
> this method isn't checked against /tmp, and it happily overwrites anything
> in the place of that file.  The package has been released in 1997, IMHO this
> is too old to have a bug of this kind hidden.
>
> BTW here's the patch:

[stat() before open() patch]

1. This suffers from a race condition (in fact, this is the textbook
example of a race condition). You need to fstat() the open()ed file,
and check that it's the same file that you just stat()ed.

2. The stat() needs to be an lstat(), to allow for symlinks.

--
Glynn Clements <glynnat_private>

Next message: Ben Laurie: "SCO World Script Vulnerabilities"
Previous message: Wietse Venema: "Re: tcpd -DPARANOID doesn't work, and never did"
Maybe in reply to: Balazs Nagy: "Xinetd /tmp race?"
Next in thread: Jesús Cea Avión: "Re: Xinetd /tmp race?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:22:51 PDT