Chris Keane wrote: > > >>>>> On Thu, 30 Sep 1999, "JL" = Jeff Long wrote: > > JL> Seeing the race problems with the previous two patches I thought I > JL> would take a shot at one. It changes the effective uid/gid to the > JL> user logging in before doing the bind() (and then resets them after) > JL> which seems to take care of the problem. [ ... ] The bind() will > JL> fail if a symlink exists to a file that the user would normally not > JL> be able to write to (such as /etc/nologin). > > Surely this still isn't ideal, though? It now won't overwrite root-owned > files, so the security hazard isn't there, but anyone on the system can > still fool a user into overwriting one of his own files, which is not > great. >From looking at the code it appears that it checks to make sure the directory the socket is created in is owned by the logging in user. Thus other users shouldn't be able to cause this problem. If the directory doesn't exist the patched version creates the directory (as root) then chowns the directory to the logging in user so I believe only the user will be able to overwrite their own files (i.e. they would have to create the symlink themselves to erase their own file). Jeff Long
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:06:32 PDT