<<< Date Index >>>     <<< Thread Index >>>

Re: gzip TOCTOU file-permissions vulnerability



[As usual when I write to bugtraq, the From: header address is a
blackhole address, a broken-autoresponder defense.  Use the signature
address to reach me.]

>> The open() call is at fault here.  If instead of being called with a
>> mode of RW_USER, it is called with the final intended access mode,
>> there is no need to later call chmod(), and the problem is averted.
> One wrinkle - if the file is not intended to have user write
> permission on it, and gzip (unzip/cpio/pax...) initially created it
> with the intended permissions, there would be no way to then write
> the file.

This is not how most Unix variants work: provided you have an
open-for-write descriptor on a file, you can write to it as long as the
descriptor survives even if the file's permissions deny you write
access.

In particular, creating a file for write with a mode forbidding writing
is not at all impossible.

Now, if you're not on a Unix variant, or for all I know even some of
the more variant Unix variants, this may not be true.  But it certainly
is common for this to work fine.  Indeed, it's arguably better because
it helps prevent others from writing to the file by mistake even during
a brief time between open()ing and fchmod()ing.

/~\ The ASCII                           der Mouse
\ / Ribbon Campaign
 X  Against HTML               mouse@xxxxxxxxxxxxxxxxxxxxxx
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B