HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
Bruce Evans
bde at zeta.org.au
Tue Jan 16 03:42:36 UTC 2007
On Tue, 16 Jan 2007, Dirk Engling wrote:
> Colin Percival wrote:
>
>> No. `cp -f` unlinks the existing file and creates a new file, but will
>> still follow a symlink if one is created between the "unlink" syscall and
>> the "open" syscall.
> ...
> You are right. Atomically in binary is not atomical enough.
>
> mv in its rename()-form will do the job, so we need to create a file in
> . by mktemp and mv it to the real name when filled.
install -S already implements this, but not robustly enough to be secure.
It only creates the temporary file if the target doesn't already exists,
so it is subject to the usual races otherwise. 'S' stands for "safe"
(no-clobber), not secure, so this is reasonable. However, it can easily
be made both safer (actually no-clobber) and securer by opening the file
with O_EXCL and exiting if the file exists at the time of the open.
Perhaps cp -f should do the same. (Both have paths where they do a
forced unlink() followed by an open(). This open() can easily use O_EXCL).
mv(1) can never be trusted to use its rename() form since it uses
copying to move across file systems and there is no way to control this.
mv(1)'s rewriting of "mv file dir" to "rename file dir/file" is also
a problem (I keep rename(1) handy to avoid it). I haven't followed
most of this thread so I don't know what the attacker can do here.
Changing the target to a symlink to a directory on a different file
system would exploit both of the problems in mv.
Bruce
More information about the freebsd-security
mailing list