HEADS UP: Re: FreeBSD Security Advisory FreeBSD-SA-07:01.jail
Bruce Evans
bde at zeta.org.au
Tue Jan 16 10:44:03 UTC 2007
On Tue, 16 Jan 2007, Pawel Jakub Dawidek wrote:
> On Tue, Jan 16, 2007 at 02:42:17PM +1100, Bruce Evans wrote:
>> install -S ...
>> ... can easily
>> be made both safer (actually no-clobber) and securer by opening the file
>> with O_EXCL and exiting if the file exists at the time of the open.
>> Perhaps cp -f should do the same. (Both have paths where they do a
>> forced unlink() followed by an open(). This open() can easily use O_EXCL).
>
> Interesting. I was sure it won't work as you described, because the
> target file can be a symlink and open(2) by default follows symlinks.
> I thought that you just forget about O_NOFOLLOW flag, but it seems, that
> with O_EXCL open(2) doesn't follow symlinks so it will work.
I did forget it. I just assumed that doing the same thing as mkstemp()
is as secure as possible, and it is. Old versions of mkstemp() couldn't
use O_NOFOLLOW since O_NOFOLLOW has only existed since Y2K. New
versions don't use it because it is unnecessary. Exclusive access
isn't enough for security since if open() followed a dangling link it
would create a security hole with (O_CREAT | O_EXCL). But there is
no problem since O_EXCL implies not following symlinks even if O_NOFOLLOW
is not supported. This is documented in open(2) and better documented
in POSIX.
Bruce
More information about the freebsd-security
mailing list