GNU bug report logs -
#12947
[brlink@debian.org: Bug#598018: install: temporary insecure file permissions]
Previous Next
Reported by: Samuel Bronson <naesten <at> gmail.com>
Date: Tue, 20 Nov 2012 19:07:01 UTC
Severity: normal
Tags: patch, security
Found in version 8.5
Done: Paul Eggert <eggert <at> cs.ucla.edu>
Bug is archived. No further changes may be made.
Full log
Message #19 received at 12947 <at> debbugs.gnu.org (full text, mbox):
On November 21, 2012 at 3:12 AM Paul Eggert <eggert <at> cs.ucla.edu> wrote:
> I pushed this [...]
This is more of a question, and I may be wrong,
but isn't here still a race afterwards?
execve("src/ginstall", ["src/ginstall", "-g", "video", "-m",
"664", "src/ginstall", "/tmp/g"], ...) = 0
...
stat("src/ginstall", {st_dev=makedev(8, 16), st_ino=134447,
st_mode=S_IFREG|0755, st_nlink=1,
st_uid=1000, st_gid=100, ...}) = 0
lstat("/tmp/g", 0x7fff6458b750) = -1 ENOENT (No such file or
directory)
open("src/ginstall", O_RDONLY) = 3
fstat(3, {st_dev=makedev(8, 16), st_ino=134447,
st_mode=S_IFREG|0755, st_nlink=1,
st_uid=1000, st_gid=100, ...}) = 0
open("/tmp/g", O_WRONLY|O_CREAT|O_EXCL, 0600) = 4
fstat(4, {st_dev=makedev(8, 2), st_ino=18846,
st_mode=S_IFREG|0600, st_nlink=1,
st_uid=1000, st_gid=100, ...}) = 0
fadvise64(3, 0, 0, POSIX_FADV_SEQUENTIAL) = 0
read(3, ..., 65536) = 65536
write(4, ..., 65536) = 65536
...
fchmod(4, 0600) = 0
close(4) = 0
close(3) = 0
<== ... race? ... ==>
lchown("/tmp/g", 4294967295, 33) = 0
chmod("/tmp/g", 0664) = 0
I.e., after closing FDs 4 and 3, the file "/tmp/g" could
have been replaced. Why aren't we using fchown and
fchmod_or_lchmod before the close() call?
Have a nice day,
Berny
This bug report was last modified 12 years and 183 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.