lynx-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: lynx-dev 2.8.1dev.19.patch.gz


From: Bela Lubkin
Subject: Re: lynx-dev 2.8.1dev.19.patch.gz
Date: Tue, 4 Aug 1998 19:23:11 -0700

T.E.Dickey wrote:

> > Your first open fails (EEXIST).  So you stat the file, find that it 
> > *does* belong to you (stat returns info about the target of the symlink), 
> > so you truncate your .profile. 
> very well - so I can change the O_TRUNCATE to a delayed ftruncate, so after
> opening the file, I can do an fstat to ensure that the real user owns the
> file, and close it if I'm wrong.  (Any other holes?)

This path leads to madness.  Do not underestimate the power of the dark
side.

A delayed ftruncate() doesn't prevent the case where an attacker has
made a hard link from one of your files to /tmp.  You can prevent that
by having /tmp a separately mounted filesystem, but some systems aren't
set up that way.

The objective is to create a new file.  The only safe ways to do that
are:

  open(O_CREAT | O_EXCL | O_TRUNC)
  optionally, if that fails EEXIST,
    unlink
    open(O_CREAT | O_EXCL | O_TRUNC)
    repeat as many times as necessary, bounded to avoid infinite loop

Look, all of this code needs to be gone over by a security expert.  In
reality, all of Lynx needs that treatment.  But even just focusing on
the issue of internal temp files, you need an expert looking at this.  I
claim to be at least a low-end expert in the field.  You have proposed
and even implemented "fixes" several times which do not, in fact, fix
the problems, and sometimes make them worse.  Please let me work this
stuff out myself.

And please don't take this as an affront.  You are doing work that
amazes me, that I could never even think of doing, in coordinating the
Lynx and so many other development projects.  I have great respect for
that.

It is apparent to me that securing Lynx against /tmp races is going to
require a complete rewrite of all of its temp file routines.  I'm
committing to that project.  I'm also extremely busy with my job, moving
into a new house, etc.  So it might take a few weeks before I have it
ready to be integrated.  Bear with me.

>Bela<

reply via email to

[Prev in Thread] Current Thread [Next in Thread]