| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 14 Apr 2005 22:35:52 -0400 (EDT) From: devnull@...ents.Montreal.QC.CA To: bugtraq@...urityfocus.com Subject: Re: gzip TOCTOU file-permissions vulnerability [As usual when I write to bugtraq, the From: header address is a blackhole address, a broken-autoresponder defense. Use the signature address to reach me.] >> The open() call is at fault here. If instead of being called with a >> mode of RW_USER, it is called with the final intended access mode, >> there is no need to later call chmod(), and the problem is averted. > One wrinkle - if the file is not intended to have user write > permission on it, and gzip (unzip/cpio/pax...) initially created it > with the intended permissions, there would be no way to then write > the file. This is not how most Unix variants work: provided you have an open-for-write descriptor on a file, you can write to it as long as the descriptor survives even if the file's permissions deny you write access. In particular, creating a file for write with a mode forbidding writing is not at all impossible. Now, if you're not on a Unix variant, or for all I know even some of the more variant Unix variants, this may not be true. But it certainly is common for this to work fine. Indeed, it's arguably better because it helps prevent others from writing to the file by mistake even during a brief time between open()ing and fchmod()ing. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML mouse@...ents.montreal.qc.ca / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Powered by blists - more mailing lists