|
|
BugTraq
RE: gzip TOCTOU file-permissions vulnerability Apr 14 2005 03:27PM Mark Senior (Mark Senior gov ab ca) (4 replies) Re: gzip TOCTOU file-permissions vulnerability Apr 15 2005 05:33AM Scott Gifford (sgifford suspectclass com) Re: gzip TOCTOU file-permissions vulnerability Apr 15 2005 02:35AM devnull Rodents Montreal QC CA (1 replies) Re: gzip TOCTOU file-permissions vulnerability Apr 16 2005 12:06PM Dmitry Yu. Bolkhovityanov (bolkhov sky inp nsk su) Re: gzip TOCTOU file-permissions vulnerability Apr 14 2005 04:11PM Derek Martin (code pizzashack org) |
|
Privacy Statement |
> > From: Derek Martin [mailto:code (at) pizzashack (dot) org [email concealed]]
> > Sent: April 13, 2005 08:50
> > The open() call is at fault here. If instead of being called
> > with a mode of RW_USER, it is called with the final intended
> > access mode, there is no need to later call chmod(), and the
> > problem is averted.
>
> One wrinkle - if the file is not intended to have user write permission
> on it, and gzip (unzip/cpio/pax...) initially created it with the
> intended permissions, there would be no way to then write the file.
I don't know about Windows, but on POSIX systems you can create a file
without write permissions and still write to it.
A small example from the shell:
bernon:~/tmp 12:58 121% umask 0777
bernon:~/tmp 12:58 122% echo foo > bar
bernon:~/tmp 12:58 123% ll bar
---------- 1 hjp sysadm 4 Apr 15 12:58 bar
As you can see, the file has no permissions, but still length 4.
This trick is sometimes used for lock files.
hp
--
_ | Peter J. Holzer \Beta means "we're down to fixing misspelled comments in
|_|_) | Sysadmin WSR \the source, and you might run into a memory leak if
| | | hjp (at) wsr.ac (dot) at [email concealed] \you enable embedded haskell as a loadable module and
__/ | http://www.hjp.at/ \write your plugins upside-down in lisp". --ae (at) op5 (dot) se [email concealed]
[ reply ]