Re: varlinks! (and 2.1.98 works for me)
Rogier Wolff (R.E.Wolff@BitWizard.nl)
Fri, 1 May 1998 14:15:59 +0200 (MET DST)
Pavel Machek wrote:
>
> Hi!
>
> > > I tell at to run job /tmp/program. Tmp in fact is symlink to
> > > /.tmp/${UID}. At checks that I have privileges to /tmp/program, and
> > > places '/tmp/program' in some kind of list of things to do.
> > >
> > > Some time later, cron looks, and sees that luser cracker wants to exec
> > > /tmp/program. But, due to some things, /tmp is no longer pointer to
> > > /.tmp/crackeruid, it is pointer to /.tmp/gooduid. But cron does not
> > > know that. Cron does not check permissions, now. It already done
> > > so. So it executes /tmp/program. But it executes _other_, potentially
> > > secret, /tmp/program.
> >
> > Any program that falls for this kind of problem ALREADY HAS a security
> > problem: anything can have changed "/tmp/program". It could have been
> > simply a symlink pointing here (access allowed) or there (no access
> > allowed).
>
> Ook, but if program did check right before read (but changed UID in
> progress), than we used to have hard-to-exploit-race. Now we have
> cleanly exploitable bug.
Right. So, worst case, a hacker doesn't need to write a script to
exploit the race. The script would try 100 times before being
successful, and the new attack using varlinks might show it
immediately.
This means that a bug has been found and needs to be fixed. Not that
varlinks are insecure.
Roger.
--
If it's there and you can see it, it's REAL |___R.E.Wolff@BitWizard.nl |
If it's there and you can't see it, it's TRANSPARENT | Tel: +31-15-2137555 |
If it's not there and you can see it, it's VIRTUAL |__FAX:_+31-15-2138217 |
If it's not there and you can't see it, it's GONE! -- Roy Wilks, 1983 |_____|
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu