From debbugs-submit-bounces@debbugs.gnu.org Tue Nov 20 14:06:26 2012 Received: (at submit) by debbugs.gnu.org; 20 Nov 2012 19:06:26 +0000 Received: from localhost ([127.0.0.1]:57304 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1Tat9O-0001a1-Cy for submit@debbugs.gnu.org; Tue, 20 Nov 2012 14:06:26 -0500 Received: from mail-qc0-f172.google.com ([209.85.216.172]:34468) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1Tat9L-0001Zu-PX for submit@debbugs.gnu.org; Tue, 20 Nov 2012 14:06:24 -0500 Received: by mail-qc0-f172.google.com with SMTP id b25so4559322qca.3 for ; Tue, 20 Nov 2012 11:05:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:message-id:mime-version:content-type; bh=U4rKJz3Q3VpxdUSeUHsqiCNi9wJkCTKBmZt1Hdhz8ps=; b=xPeo6OAMlZPMMGL1dBbFvG01aWbaRh6pSPz0Jy0TZ7GUAv/Ypn1HiZDCaSHRtEGhCY xB5indpWac8hcaLb3pA+yr/aRYFYFHQvIBjoKw1LdvEdybXFYS4Ck0EkeR6IbAUXGe4t sgZkYs44pL6EKqE7ThiBwb/ILLFDLDyWxvscoN6UlSeUjopSUul5Z+xoxaA9E3WKCqnq k+WNq/ZfpDun4V9vb4VBOsIvvYm3NacRJkQj8KxpRn0kbYOaSualFNuQAC7VQaMj6MOa IrbCYrb+EO8MCfrZx08d63znulKiso9poE2GGZ7Q+KYW1zu/xSiIyB4Lut4wISr6KYpz vDwA== Received: by 10.224.191.137 with SMTP id dm9mr15788103qab.40.1353438310498; Tue, 20 Nov 2012 11:05:10 -0800 (PST) Received: from hydrogen (naesten-pt.tunnel.tserv4.nyc4.ipv6.he.net. [2001:470:1f06:57::2]) by mx.google.com with ESMTPS id cs3sm8338817qab.10.2012.11.20.11.05.09 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 20 Nov 2012 11:05:09 -0800 (PST) Received: from naesten by hydrogen with local (Exim 4.80) (envelope-from ) id 1Tat88-000681-1O for submit@debbugs.gnu.org; Tue, 20 Nov 2012 14:05:08 -0500 From: Samuel Bronson To: submit@debbugs.gnu.org Subject: [brlink@debian.org: Bug#598018: install: temporary insecure file permissions] Date: Tue, 20 Nov 2012 14:05:07 -0500 Message-ID: <87y5hw6qos.fsf@naesten.dyndns.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: 0.1 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: 0.1 (/) --=-=-= Package: coreutils Version: 8.5 Tags: security patch >From : --=-=-= Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 8bit X-From-Line: unknown Tue Nov 20 18:26:25 2012 X-Loop: owner@bugs.debian.org Subject: Bug#598018: install: temporary insecure file permissions Reply-To: "Bernhard R. Link" , 598018@bugs.debian.org Resent-From: "Bernhard R. Link" Original-Sender: "Bernhard R. Link" Resent-To: debian-bugs-dist@lists.debian.org Resent-CC: team@security.debian.org, Michael Stone X-Loop: owner@bugs.debian.org Resent-Date: Sat, 25 Sep 2010 12:21:04 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.debian.org X-Debian-PR-Message: report 598018 X-Debian-PR-Package: coreutils X-Debian-PR-Keywords: security X-Debian-PR-Source: coreutils Received: via spool by submit@bugs.debian.org id=B.128541707529241 (code B ref -1); Sat, 25 Sep 2010 12:21:04 +0000 Received: (at submit) by bugs.debian.org; 25 Sep 2010 12:17:55 +0000 X-Spam-Checker-Version: SpamAssassin 3.2.5-bugs.debian.org_2005_01_02 (2008-06-10) on busoni.debian.org X-Spam-Level: X-Spam-Bayes: score:0.0000 Tokens: new, 22; hammy, 150; neutral, 81; spammy, 1. spammytokens:0.993-1--sk:omitted hammytokens:0.000-+--x-debbugs-cc, 0.000-+--xdebbugscc, 0.000-+--H*u:1.5.18, 0.000-+--H*UA:2008-05-17, 0.000-+--H*u:2008-05-17 X-Spam-Status: No, score=-9.6 required=4.0 tests=AWL,BAYES_00,FROMDEVELOPER, HAS_PACKAGE,IMPRONONCABLE_2,MURPHY_DRUGS_REL8 autolearn=ham version=3.2.5-bugs.debian.org_2005_01_02 Received: from pcpool00.mathematik.uni-freiburg.de ([132.230.30.150]) by busoni.debian.org with esmtp (Exim 4.69) (envelope-from ) id 1OzThS-0007b8-Dn for submit@bugs.debian.org; Sat, 25 Sep 2010 12:17:54 +0000 Received: from pcpool09.mathematik.uni-freiburg.de ([132.230.30.159]) by pcpool00.mathematik.uni-freiburg.de with esmtpsa (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1OzTh6-00072w-PR for submit@bugs.debian.org; Sat, 25 Sep 2010 14:17:32 +0200 Received: from brl by pcpool09.mathematik.uni-freiburg.de with local (Exim 4.69) (envelope-from ) id 1OzTh6-0003Iw-NO for submit@bugs.debian.org; Sat, 25 Sep 2010 14:17:32 +0200 Date: Sat, 25 Sep 2010 14:17:32 +0200 From: "Bernhard R. Link" To: submit@bugs.debian.org Message-ID: <20100925121732.GA12395@pcpool00.mathematik.uni-freiburg.de> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="ZGiS0Q5IWpPtfppv" Content-Disposition: inline User-Agent: Mutt/1.5.18 (2008-05-17) Sender: "Bernhard R. Link" Delivered-To: submit@bugs.debian.org --ZGiS0Q5IWpPtfppv Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Package: coreutils Version: 8.5-1 Tags: security X-Debbugs-CC: team@security.debian.org Install a regular file with install creates the file with the same permissions as the original file, copies the contents, then changes the permissions of that file to 0600 and finally changes ownerships and sets permissions to the ones requested with -m. This means that if the target directory is more accessibly than the original directory, or if the group will be set, the file can for a short time be accessible to users it should not be accessible to. Consider for example someone doing install -m 750 -g shadow /etc/shadow /backup/shadow results in: stat64("/etc/shadow", {st_mode=S_IFREG|0640, st_size=778, ...}) = 0 lstat64("/backup/shadow", 0xffd932b4) = -1 ENOENT (No such file or directory) open("/etc/shadow", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0640, st_size=778, ...}) = 0 open("/backup/shadow", O_WRONLY|O_CREAT|O_EXCL|O_LARGEFILE, 0640) = 4 fstat64(4, {st_mode=S_IFREG|0640, st_size=0, ...}) = 0 [...] read(...) write(...) [...] fchmod(4, 0600) = 0 close(4) = 0 close(3) = 0 lchown32("/backup/shadow", -1, 42) = 0 chmod("/backup/shadow", 0600) = 0 Which means the generated file will for a short time be readable by accounts in group root (which should only be able to get the contests if they also know the root password). Other examples where this can be an issue are copying a file with mode 0644 in a directory only accessible to the current user to a directory other people can access with install -m 600: again for a short time the file will be accessible with mode 644. The following patch fixes that (also attached to avoid transport problems): diff -r -u -N a/src/copy.c b/src/copy.c --- a/src/copy.c 2010-04-20 21:52:04.000000000 +0200 +++ b/src/copy.c 2010-09-25 13:44:01.000000000 +0200 @@ -2007,7 +2007,7 @@ used as the 3rd argument in the open call. Historical practice passed all the source mode bits to 'open', but the extra bits were ignored, so it should be the same either way. */ - if (! copy_reg (src_name, dst_name, x, src_mode & S_IRWXUGO, + if (! copy_reg (src_name, dst_name, x, dst_mode_bits & S_IRWXUGO, omitted_permissions, &new_dst, &src_sb)) goto un_backup; } This patch should be safe as dst_mode_bits is src_mode unless set_mode is set, which only install seems to set (and for install that behaviour is always better). Bernhard R. Link --ZGiS0Q5IWpPtfppv Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="diff.diff" diff -r -u -N a/src/copy.c b/src/copy.c --- a/src/copy.c 2010-04-20 21:52:04.000000000 +0200 +++ b/src/copy.c 2010-09-25 13:44:01.000000000 +0200 @@ -2007,7 +2007,7 @@ used as the 3rd argument in the open call. Historical practice passed all the source mode bits to 'open', but the extra bits were ignored, so it should be the same either way. */ - if (! copy_reg (src_name, dst_name, x, src_mode & S_IRWXUGO, + if (! copy_reg (src_name, dst_name, x, dst_mode_bits & S_IRWXUGO, omitted_permissions, &new_dst, &src_sb)) goto un_backup; } --ZGiS0Q5IWpPtfppv-- --=-=-= I don't claim to understand it (copy_internal() is gigantic!), but it seems like this should have been forwarded two years ago... -- Hi! I'm a .signature virus! Copy me into your ~/.signature to help me spread! --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Tue Nov 20 16:22:02 2012 Received: (at 12947-done) by debbugs.gnu.org; 20 Nov 2012 21:22:02 +0000 Received: from localhost ([127.0.0.1]:57455 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1TavGb-0004fy-I4 for submit@debbugs.gnu.org; Tue, 20 Nov 2012 16:22:02 -0500 Received: from smtp.cs.ucla.edu ([131.179.128.62]:37888) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1TavGY-0004fp-7Z for 12947-done@debbugs.gnu.org; Tue, 20 Nov 2012 16:22:00 -0500 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id A7937A6000B; Tue, 20 Nov 2012 13:20:46 -0800 (PST) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 49jSJ1Ro6C0w; Tue, 20 Nov 2012 13:20:45 -0800 (PST) Received: from penguin.cs.ucla.edu (Penguin.CS.UCLA.EDU [131.179.64.200]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id CA1CCA60001; Tue, 20 Nov 2012 13:20:45 -0800 (PST) Message-ID: <50ABF42D.50904@cs.ucla.edu> Date: Tue, 20 Nov 2012 13:20:45 -0800 From: Paul Eggert User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121029 Thunderbird/16.0.2 MIME-Version: 1.0 To: Samuel Bronson Subject: Re: bug#12947: [brlink@debian.org: Bug#598018: install: temporary insecure file permissions] References: <87y5hw6qos.fsf@naesten.dyndns.org> In-Reply-To: <87y5hw6qos.fsf@naesten.dyndns.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Score: -1.9 (-) X-Debbugs-Envelope-To: 12947-done Cc: 598018@bugs.debian.org, 12947-done@debbugs.gnu.org, "Bernhard R. Link" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -1.9 (-) Thanks, I installed this patch into the coreutils master branch, and I'm marking the upstream coreutils bug as done. >From 7ee71d9ddad1435bbea00779bcd4c62482ea3473 Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Tue, 20 Nov 2012 13:15:34 -0800 Subject: [PATCH] install: fix security race * src/copy.c (copy_internal): Use DST_MODE_BITS, not SRC_MODE. See Bernhard R. Link in and in . --- src/copy.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/copy.c b/src/copy.c index 16aed03..7a35414 100644 --- a/src/copy.c +++ b/src/copy.c @@ -2394,8 +2394,13 @@ copy_internal (char const *src_name, char const *dst_name, /* POSIX says the permission bits of the source file must be used as the 3rd argument in the open call. Historical practice passed all the source mode bits to 'open', but the extra - bits were ignored, so it should be the same either way. */ - if (! copy_reg (src_name, dst_name, x, src_mode & S_IRWXUGO, + bits were ignored, so it should be the same either way. + + This call uses DST_MODE_BITS, not SRC_MODE. These are + normally the same, and the exception (where x->set_mode) is + used only by 'install', which POSIX does not specify and + where DST_MODE_BITS is what's wanted. */ + if (! copy_reg (src_name, dst_name, x, dst_mode_bits & S_IRWXUGO, omitted_permissions, &new_dst, &src_sb)) goto un_backup; } -- 1.7.11.7 From debbugs-submit-bounces@debbugs.gnu.org Tue Nov 20 16:43:12 2012 Received: (at 12947) by debbugs.gnu.org; 20 Nov 2012 21:43:13 +0000 Received: from localhost ([127.0.0.1]:57468 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1Tavb6-0005BM-L0 for submit@debbugs.gnu.org; Tue, 20 Nov 2012 16:43:12 -0500 Received: from mx1.redhat.com ([209.132.183.28]:39125) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1Tavb1-0005BC-VW for 12947@debbugs.gnu.org; Tue, 20 Nov 2012 16:43:10 -0500 Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id qAKLfrl6012634 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 20 Nov 2012 16:41:53 -0500 Received: from [10.3.113.108] (ovpn-113-108.phx2.redhat.com [10.3.113.108]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id qAKLfqbA010389; Tue, 20 Nov 2012 16:41:53 -0500 Message-ID: <50ABF920.6020300@redhat.com> Date: Tue, 20 Nov 2012 14:41:52 -0700 From: Eric Blake Organization: Red Hat User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121029 Thunderbird/16.0.2 MIME-Version: 1.0 To: 12947@debbugs.gnu.org, eggert@cs.ucla.edu, naesten@gmail.com Subject: Re: bug#12947: [brlink@debian.org: Bug#598018: install: temporary insecure file permissions] References: <87y5hw6qos.fsf@naesten.dyndns.org> <50ABF42D.50904@cs.ucla.edu> In-Reply-To: <50ABF42D.50904@cs.ucla.edu> X-Enigmail-Version: 1.4.6 OpenPGP: url=http://people.redhat.com/eblake/eblake.gpg Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enigA4F093C3BBF41DA7B775569D" X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12 X-Spam-Score: -4.6 (----) X-Debbugs-Envelope-To: 12947 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -7.3 (-------) This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigA4F093C3BBF41DA7B775569D Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 11/20/2012 02:20 PM, Paul Eggert wrote: > Thanks, I installed this patch into the coreutils master branch, > and I'm marking the upstream coreutils bug as done. >=20 >>>From 7ee71d9ddad1435bbea00779bcd4c62482ea3473 Mon Sep 17 00:00:00 2001 > From: Paul Eggert > Date: Tue, 20 Nov 2012 13:15:34 -0800 > Subject: [PATCH] install: fix security race >=20 > * src/copy.c (copy_internal): Use DST_MODE_BITS, not SRC_MODE. > See Bernhard R. Link in and in > . > --- > src/copy.c | 9 +++++++-- > 1 file changed, 7 insertions(+), 2 deletions(-) This also needs a NEWS entry. I'm not sure how easy or hard it would be to write a test case, though. --=20 Eric Blake eblake@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org --------------enigA4F093C3BBF41DA7B775569D Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Public key at http://people.redhat.com/eblake/eblake.gpg Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQEcBAEBCAAGBQJQq/kgAAoJEKeha0olJ0NqgHEH/AzmPPU+jzPlT6daZjx1UyFG n8VsME7CbV0SkF/Lh+96p/nOZRs7b6Kn5BeuiT6Z5eLqz7pHDiT3mXFGdZJqORpl uRfrVZiQcSUdDAp7Rsm8LYzPSvmQkJXjRM18jhyCTP1ci1iMH7i0L9Gvv6Afj0Tu G41CfY+0/sQqCpeyzQTjVp/HYIedzXSNKiaXbqWYjAGDNDl4vxYXfOL7eHr1rxgh tAb9mcb60hfsOvZUKFS58B928EvlFyDBlBHLU7BS5z/o7JW41snyGw2LyCR0WkHv TzBOz2R1qxFkXQeG9twL9fsuOV1iOfp10VNQMO+7h5v7Btl+4iu27w61TWoqglA= =d15/ -----END PGP SIGNATURE----- --------------enigA4F093C3BBF41DA7B775569D-- From debbugs-submit-bounces@debbugs.gnu.org Tue Nov 20 21:13:53 2012 Received: (at 12947) by debbugs.gnu.org; 21 Nov 2012 02:13:53 +0000 Received: from localhost ([127.0.0.1]:57608 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1Tazp3-0002oF-HN for submit@debbugs.gnu.org; Tue, 20 Nov 2012 21:13:53 -0500 Received: from smtp.cs.ucla.edu ([131.179.128.62]:52614) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1Tazp0-0002o3-SO for 12947@debbugs.gnu.org; Tue, 20 Nov 2012 21:13:52 -0500 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id BCA8339E8116; Tue, 20 Nov 2012 18:12:37 -0800 (PST) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rRGTHnnmSTpi; Tue, 20 Nov 2012 18:12:37 -0800 (PST) Received: from [192.168.1.3] (pool-71-189-154-249.lsanca.fios.verizon.net [71.189.154.249]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id 20F3339E8008; Tue, 20 Nov 2012 18:12:37 -0800 (PST) Message-ID: <50AC3890.5060303@cs.ucla.edu> Date: Tue, 20 Nov 2012 18:12:32 -0800 From: Paul Eggert Organization: UCLA Computer Science Department User-Agent: Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20121028 Thunderbird/16.0.2 MIME-Version: 1.0 To: Eric Blake Subject: Re: bug#12947: [brlink@debian.org: Bug#598018: install: temporary insecure file permissions] References: <87y5hw6qos.fsf@naesten.dyndns.org> <50ABF42D.50904@cs.ucla.edu> <50ABF920.6020300@redhat.com> In-Reply-To: <50ABF920.6020300@redhat.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Score: -1.9 (-) X-Debbugs-Envelope-To: 12947 Cc: naesten@gmail.com, 12947@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -1.9 (-) On 11/20/2012 01:41 PM, Eric Blake wrote: > This also needs a NEWS entry. I'm not sure how easy or hard it would be > to write a test case, though. Jim's the expert on writing test cases for race conditions. Not sure that this one is worth a lot of work, though. I pushed this NEWS patch: >From 791a9c05122a1031820eebf58c04c4f157e36cfd Mon Sep 17 00:00:00 2001 From: Paul Eggert Date: Tue, 20 Nov 2012 18:10:21 -0800 Subject: [PATCH] install: fix security race * NEWS: Document this. --- NEWS | 3 +++ 1 file changed, 3 insertions(+) diff --git a/NEWS b/NEWS index 713f761..15fddd4 100644 --- a/NEWS +++ b/NEWS @@ -14,6 +14,9 @@ GNU coreutils NEWS -*- outline -*- Instead, cut now fails and emits an appropriate diagnostic. [This bug was present in "the beginning".] + install -m M SOURCE DEST no longer has a race condition where DEST's + permissions are temporarily derived from SOURCE instead of from M. + pr -n no longer crashes when passed values >= 32. Also line numbers are consistently padded with spaces, rather than with zeros for certain widths. [bug introduced in TEXTUTILS-1_22i] -- 1.7.11.7 From debbugs-submit-bounces@debbugs.gnu.org Wed Nov 21 05:28:52 2012 Received: (at 12947) by debbugs.gnu.org; 21 Nov 2012 10:28:52 +0000 Received: from localhost ([127.0.0.1]:58117 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1Tb7Y4-00088s-Dt for submit@debbugs.gnu.org; Wed, 21 Nov 2012 05:28:52 -0500 Received: from moutng.kundenserver.de ([212.227.17.9]:52529) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1Tb7Y1-00088i-VY for 12947@debbugs.gnu.org; Wed, 21 Nov 2012 05:28:51 -0500 Received: from oxbaltgw55.schlund.de (oxbaltgw55.schlund.de [172.19.246.179]) by mrelayeu.kundenserver.de (node=mrbap0) with ESMTP (Nemesis) id 0MIh7g-1TYubE3RqS-002isB; Wed, 21 Nov 2012 11:27:25 +0100 Date: Wed, 21 Nov 2012 11:27:24 +0100 (CET) From: Bernhard Voelker To: Paul Eggert , Eric Blake Message-ID: <988960013.11745.1353493644686.JavaMail.open-xchange@email.1und1.de> In-Reply-To: <50AC3890.5060303@cs.ucla.edu> References: <87y5hw6qos.fsf@naesten.dyndns.org> <50ABF42D.50904@cs.ucla.edu> <50ABF920.6020300@redhat.com> <50AC3890.5060303@cs.ucla.edu> Subject: Re: bug#12947: [brlink@debian.org: Bug#598018: install: temporary insecure file permissions] MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Priority: 3 Importance: Medium X-Mailer: Open-Xchange Mailer v6.20.7-Rev4 X-Provags-ID: V02:K0:SSAyKS2+cHh61RWE8vqMx0FnSS/8f4dMsWPDYeGez+3 zD6FQ9CXjIpKAhj/EMqUFZEurYg6nSfJ+iPEpIIsNNLTvQJqv5 SlhD3QafXuylcPpQRtDvCseb+BSQTYc4WAKYcTpTIqlYC/U+Dc K2yNrYchQFw+LTj2Bnr4Qs2gD3ovgQzL30klP+P8Lwkj7avEMk o924c4/MuNQg84mkGx9QViLOj7cFCa5JY0D8HIGIttnJo5cp1N fbYBDdZxmhC3RA5BiWbbg8d4UT0/B9a3tctf7b4lGlpXARpOkv KGhRwwxKM7mDzJqduBriEnbGF+t4gMMMjDvAOhnYog65f0Xg4J 3yRYPCM9PYhwH4x5uMTbJOnuqjEHZwpS5RgsUXsk6JJ88m3Rxx 847o2h08Mhzqlc5vXTa5F6MDNrxJug2jb8WUAc9MwgoRn4fMOt StwAH X-Spam-Score: 0.8 (/) X-Debbugs-Envelope-To: 12947 Cc: naesten@gmail.com, 12947@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list Reply-To: Bernhard Voelker List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: 0.8 (/) On November 21, 2012 at 3:12 AM Paul Eggert wrote: > I pushed this [...] This is more of a question, and I may be wrong, but isn't here still a race afterwards? execve("src/ginstall", ["src/ginstall", "-g", "video", "-m", "664", "src/ginstall", "/tmp/g"], ...) = 0 ... stat("src/ginstall", {st_dev=makedev(8, 16), st_ino=134447, st_mode=S_IFREG|0755, st_nlink=1, st_uid=1000, st_gid=100, ...}) = 0 lstat("/tmp/g", 0x7fff6458b750) = -1 ENOENT (No such file or directory) open("src/ginstall", O_RDONLY) = 3 fstat(3, {st_dev=makedev(8, 16), st_ino=134447, st_mode=S_IFREG|0755, st_nlink=1, st_uid=1000, st_gid=100, ...}) = 0 open("/tmp/g", O_WRONLY|O_CREAT|O_EXCL, 0600) = 4 fstat(4, {st_dev=makedev(8, 2), st_ino=18846, st_mode=S_IFREG|0600, st_nlink=1, st_uid=1000, st_gid=100, ...}) = 0 fadvise64(3, 0, 0, POSIX_FADV_SEQUENTIAL) = 0 read(3, ..., 65536) = 65536 write(4, ..., 65536) = 65536 ... fchmod(4, 0600) = 0 close(4) = 0 close(3) = 0 <== ... race? ... ==> lchown("/tmp/g", 4294967295, 33) = 0 chmod("/tmp/g", 0664) = 0 I.e., after closing FDs 4 and 3, the file "/tmp/g" could have been replaced. Why aren't we using fchown and fchmod_or_lchmod before the close() call? Have a nice day, Berny From debbugs-submit-bounces@debbugs.gnu.org Wed Nov 21 10:43:02 2012 Received: (at 12947) by debbugs.gnu.org; 21 Nov 2012 15:43:02 +0000 Received: from localhost ([127.0.0.1]:59292 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1TbCS4-0004l6-Rx for submit@debbugs.gnu.org; Wed, 21 Nov 2012 10:43:01 -0500 Received: from smtp.cs.ucla.edu ([131.179.128.62]:51725) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1TbCS2-0004ky-Oq for 12947@debbugs.gnu.org; Wed, 21 Nov 2012 10:42:59 -0500 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id 0F61839E8118; Wed, 21 Nov 2012 07:41:43 -0800 (PST) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J1f0wFEDuHfI; Wed, 21 Nov 2012 07:41:42 -0800 (PST) Received: from [192.168.1.3] (pool-71-189-154-249.lsanca.fios.verizon.net [71.189.154.249]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id 8264839E8100; Wed, 21 Nov 2012 07:41:42 -0800 (PST) Message-ID: <50ACF636.60702@cs.ucla.edu> Date: Wed, 21 Nov 2012 07:41:42 -0800 From: Paul Eggert Organization: UCLA Computer Science Department User-Agent: Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20121028 Thunderbird/16.0.2 MIME-Version: 1.0 To: Bernhard Voelker Subject: Re: bug#12947: [brlink@debian.org: Bug#598018: install: temporary insecure file permissions] References: <87y5hw6qos.fsf@naesten.dyndns.org> <50ABF42D.50904@cs.ucla.edu> <50ABF920.6020300@redhat.com> <50AC3890.5060303@cs.ucla.edu> <988960013.11745.1353493644686.JavaMail.open-xchange@email.1und1.de> In-Reply-To: <988960013.11745.1353493644686.JavaMail.open-xchange@email.1und1.de> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Score: -1.8 (-) X-Debbugs-Envelope-To: 12947 Cc: naesten@gmail.com, Eric Blake , 12947@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: debbugs-submit-bounces@debbugs.gnu.org Errors-To: debbugs-submit-bounces@debbugs.gnu.org X-Spam-Score: -1.8 (-) On 11/21/2012 02:27 AM, Bernhard Voelker wrote: > Why aren't we using fchown and > fchmod_or_lchmod before the close() call? The code used to do that, if memory serves, but then the code was modified to deal with ACLs or SELinux or whatever and it turned into a big mess, which I've been afraid to deal with. I vaguely recall that it had something to do with the relevant ACL and/or SELinux calls requiring file names (which seemed like a huge mistake to me at the time). From unknown Sun Jun 22 00:52:16 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Thu, 20 Dec 2012 12:24:04 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator