> [symlink-paranoia code] > However, consider an average setuid root application, [...]. When > the application reaches the critical section of code between the > lstat and the open, you stop it by sending it a SIGSTOP. If you can send it a SIGSTOP, either you're running as root (in which case you don't *need* to play with symlink races), the application is running as you (in which case breaking it buys you nothing), or signal delivery is critically broken. In fact, I suspect that any process you can SIGSTOP, you can attach to with ptrace and do whatever you want without need for subtrefuge. > --for instance a lookup of /tmp/foo (as done by lstat()) will > change the directory's atime. "That turns out not to be the case." Or at least, you can't count on it: [Sparkle] 115> ls -ldu /tmp drwxrwxrwt 24 root 2560 Jan 2 21:15 /tmp [Sparkle] 116> date Mon Jan 3 23:15:27 EST 2000 [Sparkle] 117> ls -ld /tmp/foobar /tmp/foobar not found [Sparkle] 118> ls -ldu /tmp drwxrwxrwt 24 root 2560 Jan 2 21:15 /tmp [Sparkle] 119> der Mouse mouseat_private 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:25:45 PDT