Re: Linux patches to solve /tmp race problem

From: Donaldson, Matthew (matthewat_private)
Date: Wed Apr 25 2001 - 08:44:18 PDT

Next message: Valdis Kletnieks: "Re: Linux patches to solve /tmp race problem"

Previous message: Leif Sawyer: "Re: XML scripting in IE, Outlook Express"
In reply to: Valdis Kletnieks: "Re: Linux patches to solve /tmp race problem"
Next in thread: Valdis Kletnieks: "Re: Linux patches to solve /tmp race problem"
Next in thread: Kurt Seifried: "Re: Linux patches to solve /tmp race problem"
Reply: Valdis Kletnieks: "Re: Linux patches to solve /tmp race problem"
Reply: Michal Zalewski: "Re: Linux patches to solve /tmp race problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Valdis.Kletnieksat_private writes:
>On Tue, 24 Apr 2001 20:13:30 +0930, "Donaldson, Matthew" <matthewat_private>  said:
>> (e.g. because it's non open-source).  Having something like this gives them
>> the security that even if someone is doing the Wrong Thing(tm), it does not
>> put them at risk.
>
>Puts them at much less risk.  The risk is still non-zero.  (Consider - does
>the patch fix race conditions that happen to involve both /tmp *and* '..'
>in the pathname?  What *other* end conditions are there?  Remember that
>"non executable stack" patches don't stop all buffer overflows, they just
>make them a LOT harder to exploit.....

I see your point about buffer overflows, but I'm not sure that the same
applies to /tmp races: maybe I'm missing something, but my perception of the
the essence of /tmp races is this: someone sticks a symlink in /tmp just
before a privileged user (e.g. root) is about to create a file with that
name.  Privileged user doesn't check properly, and writes stuff to the
file the non-privileged user selected.

If each user has a separate /tmp directory, unwritable by anyone else, this
is no longer possible, so far as I can see.  Now maybe I'm overlooking things
here - I'd be most interested to hear of types of /tmp races not solved by
this proposal, and how using '..' in the path name might make things trickier.

Now of course the price you pay is that if things are designed to cooperate
using files in /tmp, and they run as different users, you have to make them
agree on somewhere else to put files, or use a different communication
mechanism.  More on that in my reply to Chris Wright (tomorrow - it's getting
late here), who raised that issue.  X is a particularly bad offender in this
category, but there are some fairly simple workarounds.

Cheers

		-Matthew

--
+--------------------------------------------------------------------------+
| Matthew Donaldson             http://www.datadeliverance.com             |
| Data Deliverance Pty. Ltd.    Email: matthewat_private         |
| 30 Musgrave Ave.              Phone: +61 8 8265 7976            _        |
| Banksia Park                  Fax:   +61 8 8265 0032     John  / \/      |
| South Australia 5091                                     3:16  \_/\      |
+--------------------------------------------------------------------------+

Next message: Valdis Kletnieks: "Re: Linux patches to solve /tmp race problem"
Previous message: Leif Sawyer: "Re: XML scripting in IE, Outlook Express"
In reply to: Valdis Kletnieks: "Re: Linux patches to solve /tmp race problem"
Next in thread: Valdis Kletnieks: "Re: Linux patches to solve /tmp race problem"
Next in thread: Kurt Seifried: "Re: Linux patches to solve /tmp race problem"
Reply: Valdis Kletnieks: "Re: Linux patches to solve /tmp race problem"
Reply: Michal Zalewski: "Re: Linux patches to solve /tmp race problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 25 2001 - 21:57:08 PDT