mkdir() and security hole

The Beach Bum jfh at rpp386.Dallas.TX.US
Sat Dec 24 08:17:54 AEST 1988


In article <876 at husc6.harvard.edu> ddl at husc6.harvard.edu (Dan Lanciani) writes:
>| The real problem is mkdir trusts dirname to be the directory it just
>| created, which is not necessarily the case.  Nicing the process only
>| shrinks the window of vunlerability, but it doesn't close it.
>
>	Correct.

In the case of the posted patch which I suggested, this is immaterial.
If the directory being chown()'d is NOT the directory which was just
created, then the person doing the spoofing must have created the
bogus directory with some help by becoming root, since only root could
have made the bogus directory links.

Given THAT piece of information, it SHOULD be obvious that either the
patch works, or the bad guy was root already in which case it doesn't
matter what the hell happens.  Only root can create arbitrary directory
structures.  Only a clever manipulation of the directory structure
could cause mkdir to chown the wrong directory.
-- 
John F. Haugh II                        +-Quote of the Week:-------------------
VoiceNet: (214) 250-3311   Data: -6272  |"Unix doesn't have bugs,
InterNet: jfh at rpp386.Dallas.TX.US       | Unix is a bug"
UucpNet : <backbone>!killer!rpp386!jfh  +--              -- author forgotten --



More information about the Comp.bugs.sys5 mailing list