| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050415113148.GT22499@wsr.ac.at>
Date: Fri, 15 Apr 2005 13:31:48 +0200
From: "Peter J. Holzer" <hjp@....ac.at>
To: bugtraq@...urityfocus.com
Subject: Re: gzip TOCTOU file-permissions vulnerability
On 2005-04-14 09:27:11 -0600, Mark Senior wrote:
> > From: Derek Martin [mailto:code@...zashack.org]
> > Sent: April 13, 2005 08:50
> > The open() call is at fault here. If instead of being called
> > with a mode of RW_USER, it is called with the final intended
> > access mode, there is no need to later call chmod(), and the
> > problem is averted.
>
> One wrinkle - if the file is not intended to have user write permission
> on it, and gzip (unzip/cpio/pax...) initially created it with the
> intended permissions, there would be no way to then write the file.
I don't know about Windows, but on POSIX systems you can create a file
without write permissions and still write to it.
A small example from the shell:
bernon:~/tmp 12:58 121% umask 0777
bernon:~/tmp 12:58 122% echo foo > bar
bernon:~/tmp 12:58 123% ll bar
---------- 1 hjp sysadm 4 Apr 15 12:58 bar
As you can see, the file has no permissions, but still length 4.
This trick is sometimes used for lock files.
hp
--
_ | Peter J. Holzer \Beta means "we're down to fixing misspelled comments in
|_|_) | Sysadmin WSR \the source, and you might run into a memory leak if
| | | hjp@....ac.at \you enable embedded haskell as a loadable module and
__/ | http://www.hjp.at/ \write your plugins upside-down in lisp". --ae@....se
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists