lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ly1x9ceh9j.fsf@gfn.org>
Date: Fri, 15 Apr 2005 01:33:12 -0400
From: Scott Gifford <sgifford@...pectclass.com>
To: "Mark Senior" <Mark.Senior@....ab.ca>
Cc: "Derek Martin" <code@...zashack.org>, <bugtraq@...urityfocus.com>
Subject: Re: gzip TOCTOU file-permissions vulnerability


"Mark Senior" <Mark.Senior@....ab.ca> writes:

>  
>
>> From: Derek Martin [mailto:code@...zashack.org] 
>> Sent: April 13, 2005 08:50
>> 
>> 
>> The open() call is at fault here.  If instead of being called 
>> with a mode of RW_USER, it is called with the final intended 
>> access mode, there is no need to later call chmod(), and the 
>> problem is averted.
>
> One wrinkle - if the file is not intended to have user write permission
> on it, and gzip (unzip/cpio/pax...) initially created it with the
> intended permissions, there would be no way to then write the file.

In a quick test, this seems not to be true, at least on my Linux
system.  It may be true over NFS. 
    
    [gifford@...ford tmp]$ ls -ld testfile
    ls: testfile: No such file or directory
    [gifford@...ford tmp]$ cat t.c
    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <fcntl.h>
     
    void die(char *msg)
    {
      perror(msg);
      exit(1);
    }
     
    int main()
    {
      int fd;
     
      if ((fd = open("testfile",O_CREAT|O_WRONLY,0)) < 0)
        die("open failed");
      if (write(fd,"output\n",7) < 0)
        die("write failed");
      if (close(fd) < 0)
        die("close failed");
     
      return 0;
    }
    [gifford@...ford tmp]$ gcc -Wall t.c
    [gifford@...ford tmp]$ ./a.out
    [gifford@...ford tmp]$ ls -ld testfile
    ----------  1 gifford gifford 7 Apr 15 01:28 testfile
    [gifford@...ford tmp]$ chmod +r testfile
    [gifford@...ford tmp]$ cat testfile
    output
    [gifford@...ford tmp]$

----ScottG.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ