From owner-freebsd-hackers  Thu Mar 11 23:49: 1 1999
Delivered-To: freebsd-hackers@freebsd.org
Received: from rover.village.org (rover.village.org [204.144.255.49])
	by hub.freebsd.org (Postfix) with ESMTP id 2B08815210
	for <hackers@FreeBSD.ORG>; Thu, 11 Mar 1999 23:48:58 -0800 (PST)
	(envelope-from imp@harmony.village.org)
Received: from harmony.village.org (harmony [10.0.0.6]) by rover.village.org (8.9.3/8.6.6) with ESMTP id HAA64248; Fri, 12 Mar 1999 07:48:40 GMT
Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id AAA16897; Fri, 12 Mar 1999 00:48:48 -0700 (MST)
Message-Id: <199903120748.AAA16897@harmony.village.org>
To: "Geoff Rehmet" <geoffr@is.co.za>
Subject: Re: The infamours "temp cleaner" debate 
Cc: hackers@FreeBSD.ORG
In-reply-to: Your message of "Fri, 12 Mar 1999 08:20:43 +0200."
		<199903120620.IAA09997@hangdog.is.co.za> 
References: <199903120620.IAA09997@hangdog.is.co.za>  
Date: Fri, 12 Mar 1999 00:48:48 -0700
From: Warner Losh <imp@harmony.village.org>
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

There is at least one winnable race here.  If someone changed the
dierctory between the -d and chdir, then you could chdir someplace
else.

In message <199903120620.IAA09997@hangdog.is.co.za> Geoff Rehmet writes:
: 		lstat($subdir) || die "Cannot stat $subdir";
: 		-d _ || die "$subdir is no longer a directory!!";

attacker removes subdir and replaces it with a symbolic link to some
other place in the tree.

: 		chdir ($subdir) || die "Could not chdir from $item to $subdir";

boom.  You have just followed the symbolic link.  You are now in the
wrong part of the tree.  Files start to disappear from places they
shouldn't disappear from.

: 		do_dir("${item}${subdir}/");
: 
: 		# We intentionally "chdir .." 
: 		chdir ("..") || die "Could not chdir to parent";

And you compound the problem by using relative paths.

fts(3) handles these problems already.  Unless you can do a fchdir,
you won't solve the races that are plague this problem.

Finally, you die too much.  An attacker could launch a denial of
service attack against cleaning programs which would cause them not to
run.

Warner


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message