From piete.brooks@cl.cam.ac.uk  Mon Aug 26 19:04:31 1996
Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id TAA01179 for <best-of-security@suburbia.net>; Mon, 26 Aug 1996 19:04:01 +1000
Received: from heaton.cl.cam.ac.uk (exim@heaton.cl.cam.ac.uk [128.232.32.11]) by pdx1.world.net (8.7.5/8.7.3) with SMTP id BAA06556 for <best-of-security@suburbia.net>; Mon, 26 Aug 1996 01:11:35 -0700 (PDT)
Received: from cl.cam.ac.uk [128.232.0.11] (pb)
	by heaton.cl.cam.ac.uk with esmtp (Exim 0.52 #2)
	id E0uuwhb-0001ug-00; Mon, 26 Aug 1996 09:07:19 +0100
X-uri: <URL:http://www.cl.cam.ac.uk/users/pb>
X-face: &@N3QE9h|>f`igFCkZ'a1`z=nNLXb}k>H(79G"V?@!&*yn)uhPBctF1vc}LD'{OA%$bs
        X+l[wN,I^G8kKj2NFxQrr@1C4QBC]hq5-%ZkV,^Zl/qE<0`zCQ1nM+]-N<^WG[H)]?d)
        A:L9AFgOU[BjbaY)uBAMz}h!fm^O0#
To: Daniel Bromberg <ddaniel@furlong.jpl.nasa.gov>
cc: leitner@math.fu-berlin.de (Felix von Leitner),
        best-of-security@suburbia.net, Piete.Brooks@cl.cam.ac.uk
Subject: Re: BoS: cfingerd possible security hole 
In-reply-to: Your message of Sun, 25 Aug 1996 16:29:26 -0700.
             <199608252329.QAA04110@furlong.jpl.nasa.gov> 
Date: Mon, 26 Aug 1996 09:07:17 +0100
From: Piete Brooks <Piete.Brooks@cl.cam.ac.uk>
Message-Id: <E0uuwhb-0001ug-00@heaton.cl.cam.ac.uk>

> Is there a secure way to check-for-non-symlink-and-open atomically?
> Probably not, and thus a better algorithm is to follow the symlinks to
> the actual file, and check the permissions on it.

Not that I know of, but (I think) you can reduce the general problem to just
allowing someone to change the last modified time on a file, by breaking it
down into two cases of file exists and file does not exist.
In the first case, if you open, then re-check the file before writing,
you will have changed the modification date, but no worse.
In the second case, most OSes can do it atomically.


Here's an edited commentry (from a mail delivery programme)

(5f) Stat the file.

(6f) If the file already exists:

     If it's not a regular file, complain to local administrator and defer
     delivery with a local error code that causes subsequent delivery to
     be prevented until manually enabled.

     Check owner, group and permissions. If not, complain and defer.

     Save the inode number.

     Open with O_WRONLY + O_APPEND, thus failing if the file has vanished.

     If open fails because the file does not exist, go to (7); on any other
     failure except EWOULDBLOCK, complain & defer. For EWOULDBLOCK (NFS
     failure), just defer.

     Check the inode number hasn't changed - I realize this isn't perfect (an
     inode can be reused) but it's cheap and will catch some of the races.

     Check it's still a regular file.

     Check that the owner and permissions haven't changed.

(7f) If file does not exist initially:

     Open with O_WRONLY + O_EXCL + O_CREAT with configured mode.

     If open fails because the file already exists, go to (6). To avoid looping
     for ever in a situation where the file is continuously being created and
     deleted, go round the (6)->(7)->(6) loop no more than 10 times. If this
     count expires, complain and defer with a code that freezes delivery
     attempts.

     If open fails for any other reason, defer for subsequent delivery.