From strange@tezcat.com Tue Aug 27 00:02:41 1996 Received: from xochi.tezcat.com (strange@xochi.tezcat.com [204.128.247.12]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id AAA12475 for ; Tue, 27 Aug 1996 00:02:16 +1000 Received: from localhost (strange@localhost) by xochi.tezcat.com (Local/tezcat-pb-patch) with SMTP id JAA13084 for ; Mon, 26 Aug 1996 09:01:41 -0500 (CDT) Date: Mon, 26 Aug 1996 09:01:41 -0500 (CDT) From: Mike Scher Reply-To: Mike Scher To: best-of-security@suburbia.net Subject: Re: BoS: cfingerd possible security hole In-Reply-To: <199608252329.QAA04110@furlong.jpl.nasa.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII On Sun, 25 Aug 1996, Daniel Bromberg wrote: > Note that we shouldn't forget about the old /bin/mail-type race > condition. Checking for a symlink doesn't mean it won't be a few > ticks later when the file is actually open()'d and written to. While > fingerd should be run as nobody people might get still run it as root. > Is there a secure way to check-for-non-symlink-and-open atomically? > Probably not, and thus a better algorithm is to follow the symlinks to > the actual file, and check the permissions on it. You can always write the finger daemon to check its (e)u/(e)gid in the first few lines and, if it's 0/0 0/1 (etc), either set(e)u/gid to something innocuous or refuse to run, logging an alert. That really would not be a bad option to build into all daemons that are NOT supposed to run NOT root. -Mike Michael Brian Scher (MS683) | Anthropologist, Attorney, Part-Time Guru http://www.tezcat.com/~strange/ | strange@cultural.com strange@tezcat.com | mbscher@midway.uchicago.edu I'm a legal anthropologist; what's an illegal anthropologist?