From piete.brooks@cl.cam.ac.uk Mon Aug 26 19:04:31 1996 Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id TAA01179 for ; Mon, 26 Aug 1996 19:04:01 +1000 Received: from heaton.cl.cam.ac.uk (exim@heaton.cl.cam.ac.uk [128.232.32.11]) by pdx1.world.net (8.7.5/8.7.3) with SMTP id BAA06556 for ; Mon, 26 Aug 1996 01:11:35 -0700 (PDT) Received: from cl.cam.ac.uk [128.232.0.11] (pb) by heaton.cl.cam.ac.uk with esmtp (Exim 0.52 #2) id E0uuwhb-0001ug-00; Mon, 26 Aug 1996 09:07:19 +0100 X-uri: X-face: &@N3QE9h|>f`igFCkZ'a1`z=nNLXb}k>H(79G"V?@!&*yn)uhPBctF1vc}LD'{OA%$bs X+l[wN,I^G8kKj2NFxQrr@1C4QBC]hq5-%ZkV,^Zl/qE<0`zCQ1nM+]-N<^WG[H)]?d) A:L9AFgOU[BjbaY)uBAMz}h!fm^O0# To: Daniel Bromberg cc: leitner@math.fu-berlin.de (Felix von Leitner), best-of-security@suburbia.net, Piete.Brooks@cl.cam.ac.uk Subject: Re: BoS: cfingerd possible security hole In-reply-to: Your message of Sun, 25 Aug 1996 16:29:26 -0700. <199608252329.QAA04110@furlong.jpl.nasa.gov> Date: Mon, 26 Aug 1996 09:07:17 +0100 From: Piete Brooks Message-Id: > Is there a secure way to check-for-non-symlink-and-open atomically? > Probably not, and thus a better algorithm is to follow the symlinks to > the actual file, and check the permissions on it. Not that I know of, but (I think) you can reduce the general problem to just allowing someone to change the last modified time on a file, by breaking it down into two cases of file exists and file does not exist. In the first case, if you open, then re-check the file before writing, you will have changed the modification date, but no worse. In the second case, most OSes can do it atomically. Here's an edited commentry (from a mail delivery programme) (5f) Stat the file. (6f) If the file already exists: If it's not a regular file, complain to local administrator and defer delivery with a local error code that causes subsequent delivery to be prevented until manually enabled. Check owner, group and permissions. If not, complain and defer. Save the inode number. Open with O_WRONLY + O_APPEND, thus failing if the file has vanished. If open fails because the file does not exist, go to (7); on any other failure except EWOULDBLOCK, complain & defer. For EWOULDBLOCK (NFS failure), just defer. Check the inode number hasn't changed - I realize this isn't perfect (an inode can be reused) but it's cheap and will catch some of the races. Check it's still a regular file. Check that the owner and permissions haven't changed. (7f) If file does not exist initially: Open with O_WRONLY + O_EXCL + O_CREAT with configured mode. If open fails because the file already exists, go to (6). To avoid looping for ever in a situation where the file is continuously being created and deleted, go round the (6)->(7)->(6) loop no more than 10 times. If this count expires, complain and defer with a code that freezes delivery attempts. If open fails for any other reason, defer for subsequent delivery.