<<< Date Index >>>     <<< Thread Index >>>

Re: gzip TOCTOU file-permissions vulnerability



On Thu, 14 Apr 2005 devnull@xxxxxxxxxxxxxxxxxxxxxx wrote:

> >> The open() call is at fault here.  If instead of being called with a
> >> mode of RW_USER, it is called with the final intended access mode,
> >> there is no need to later call chmod(), and the problem is averted.

        Doing open(,,RW_USER) is not a solution: the resulting file's mode
will be (mode & ~umask), but NOT just `mode'.

        So, either fchmod(,RW_USER) just after open()/creat() is required
(which seems to be the best practice), or some umask trickery will be
necessary.

> > One wrinkle - if the file is not intended to have user write
> > permission on it, and gzip (unzip/cpio/pax...) initially created it
> > with the intended permissions, there would be no way to then write
> > the file.
> 
> This is not how most Unix variants work: provided you have an
> open-for-write descriptor on a file, you can write to it as long as the
> descriptor survives even if the file's permissions deny you write
> access.
> 
> In particular, creating a file for write with a mode forbidding writing
> is not at all impossible.
> 
> Now, if you're not on a Unix variant, or for all I know even some of
> the more variant Unix variants, this may not be true.  But it certainly
> is common for this to work fine.  Indeed, it's arguably better because
> it helps prevent others from writing to the file by mistake even during
> a brief time between open()ing and fchmod()ing.

        Yes, writing to a just-created file with permissions 000 WILL work
under most Unices.  But think about NFS -- since NFS doesn't have
"sessions"/"states"/"open descriptors", the checks will (or at least can,
at least in some versions of NFS) be performed upon each write.  Thus,
write() may fail.

        _________________________________________
          Dmitry Yu. Bolkhovityanov
          The Budker Institute of Nuclear Physics
          Novosibirsk, Russia