| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 14 Apr 2005 09:27:11 -0600 From: "Mark Senior" <Mark.Senior@....ab.ca> To: "Derek Martin" <code@...zashack.org>, <bugtraq@...urityfocus.com> Subject: RE: gzip TOCTOU file-permissions vulnerability > From: Derek Martin [mailto:code@...zashack.org] > Sent: April 13, 2005 08:50 > > > The open() call is at fault here. If instead of being called > with a mode of RW_USER, it is called with the final intended > access mode, there is no need to later call chmod(), and the > problem is averted. One wrinkle - if the file is not intended to have user write permission on it, and gzip (unzip/cpio/pax...) initially created it with the intended permissions, there would be no way to then write the file. The problem, to my understanding, is that the program opens the file by name, then closes it, and then chmod's it, again referring to it by name. During which time, as you pointed out, we could be dealing with a different inode. If the program kept the file open, and used fchmod to change its permissions, referring to it by file descriptor, you could be more sure that it was the same inode it had just been writing to. Cheers Mark --- end of meaningful content, legal bumph follows --- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
Powered by blists - more mailing lists