lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200504150246.WAA22989@Sparkle.Rodents.Montreal.QC.CA>
Date: Thu, 14 Apr 2005 22:35:52 -0400 (EDT)
From: devnull@...ents.Montreal.QC.CA
To: bugtraq@...urityfocus.com
Subject: Re: gzip TOCTOU file-permissions vulnerability


[As usual when I write to bugtraq, the From: header address is a
blackhole address, a broken-autoresponder defense.  Use the signature
address to reach me.]

>> The open() call is at fault here.  If instead of being called with a
>> mode of RW_USER, it is called with the final intended access mode,
>> there is no need to later call chmod(), and the problem is averted.
> One wrinkle - if the file is not intended to have user write
> permission on it, and gzip (unzip/cpio/pax...) initially created it
> with the intended permissions, there would be no way to then write
> the file.

This is not how most Unix variants work: provided you have an
open-for-write descriptor on a file, you can write to it as long as the
descriptor survives even if the file's permissions deny you write
access.

In particular, creating a file for write with a mode forbidding writing
is not at all impossible.

Now, if you're not on a Unix variant, or for all I know even some of
the more variant Unix variants, this may not be true.  But it certainly
is common for this to work fine.  Indeed, it's arguably better because
it helps prevent others from writing to the file by mistake even during
a brief time between open()ing and fchmod()ing.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@...ents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ