Re: Symlink attack in file.c?

Hello, Leonard!

On Fri, 2006-06-16 at 01:53 +0200, Leonard den Ottolander wrote:

> Something I came across a couple of times this week, just now in
> relation to an RFE regarding file permissions on copying fat files in
> RHs bugzilla
> (
> A commit by "pavel" (Machek?) who added the remark
> "FIXME: You have security hole here, btw. Imagine copying to /tmp and
> symlink attack :-("
> Is there anybody that can explain to me what he's concerned about and if
> that is still an issue? If so this is a rather long standing hole... If
> not, let's get rid of that warning.

I think it's still an issue.  Suppose the target doesn't exist.  Then mc
decides that it's OK to create the file and creates it.  In the
meantime, somebody could have created a symlink, so mc truncates the
file pointed to by the symlink.

It is a hole indeed, but it needs a good timing to be exploited.  The
attacker should know which file is about to be overwritten and the
symlink should be created after mc has checked that the target doesn't
exist, but before mc opens the file for writing.

Since mc needs to be interactive, it's hard to avoid accessing the
target file more than once.

The simplest fix would be to use O_EXCL is there was no target file
initially.  If it fails for the reason that the file exists, there
should be a huge warning that no user should be able to ignore.

Pavel Roskin

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]