Olaf Kirch asked about checking files when you reopen them and
questioned the usefulness of
> if (lstat(fname, &stb1) >= 0 && S_ISREG(stb1.st_mode)) {
> fd = open(fname, O_RDWR);
> if (fd < 0 || fstat(fd, &stb2) < 0
> || ino_or_dev_mismatch(&stb1, &stb2))
> raise_big_stink()
> } else {
> /* do the O_EXCL thing */
> }
Mark A. Heilpern" <heilpernat_private> and
der Mouse <mouseat_private> maintain that mortals can only
send a SIGSTOP to their own processes.
When I send a SIGSTOP to a passwd process (uid=me,euid=0) I get:
linux 2.0.36: stopped
linux 2.2.12: stopped
OpenBSD 2.5: stopped
No doubt Olaf selected SIGSTOP in his example because it cannot be handled.
Goetz Babin-Ebell <babinebellat_private> provided some code which
I've not tested but looks as if it will leak open files and will
call fopen(cpFile,"a"); first and lstat() afterwards. This could lead
to the creation of unintended files at the symlink target. Only comparison
to S_IFLNK is done, leaving named pipes in the running.
It might also be raced either side of the lstat() call. fstat() is not used.
While I'm on this I'll mention a code scanner I wrote last year for checking
file races. It follows a description of an unpublished scanner by Matt Bishop
and Michael Dilger and is demonstrated on sendmail-8.6.10. In Perl.
http://www.notatla.demon.co.uk/SOFTWARE/SCANNER/scanner-1.0b.tar.gz
Olaf's suggested function ino_or_dev_mismatch(&stb1, &stb2) could be
extended to check the file's owner and group remain unchanged. This
means even if a file is switched the attacker gains nothing - he has
to replace it with an equivalent file.
--
##############################################################
# Antonomasia antat_private #
# See http://www.notatla.demon.co.uk/ #
##############################################################
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:26:28 PDT