Olaf Kirch asked about checking files when you reopen them and questioned the usefulness of > if (lstat(fname, &stb1) >= 0 && S_ISREG(stb1.st_mode)) { > fd = open(fname, O_RDWR); > if (fd < 0 || fstat(fd, &stb2) < 0 > || ino_or_dev_mismatch(&stb1, &stb2)) > raise_big_stink() > } else { > /* do the O_EXCL thing */ > } Mark A. Heilpern" <heilpernat_private> and der Mouse <mouseat_private> maintain that mortals can only send a SIGSTOP to their own processes. When I send a SIGSTOP to a passwd process (uid=me,euid=0) I get: linux 2.0.36: stopped linux 2.2.12: stopped OpenBSD 2.5: stopped No doubt Olaf selected SIGSTOP in his example because it cannot be handled. Goetz Babin-Ebell <babinebellat_private> provided some code which I've not tested but looks as if it will leak open files and will call fopen(cpFile,"a"); first and lstat() afterwards. This could lead to the creation of unintended files at the symlink target. Only comparison to S_IFLNK is done, leaving named pipes in the running. It might also be raced either side of the lstat() call. fstat() is not used. While I'm on this I'll mention a code scanner I wrote last year for checking file races. It follows a description of an unpublished scanner by Matt Bishop and Michael Dilger and is demonstrated on sendmail-8.6.10. In Perl. http://www.notatla.demon.co.uk/SOFTWARE/SCANNER/scanner-1.0b.tar.gz Olaf's suggested function ino_or_dev_mismatch(&stb1, &stb2) could be extended to check the file's owner and group remain unchanged. This means even if a file is switched the attacker gains nothing - he has to replace it with an equivalent file. -- ############################################################## # Antonomasia antat_private # # See http://www.notatla.demon.co.uk/ # ##############################################################
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:26:28 PDT