Bad file access on the rise
Oron Peled
oron at actcom.co.il
Sat Jun 8 06:11:56 UTC 2013
On Friday 07 June 2013 18:55:46 Lennart Poettering wrote:
> > > On Fri, 07.06.13 12:09, Steve Grubb (sgrubb at redhat.com) wrote:
> > > > > > Maybe the uid can be encoded in the name so that wrong uid's are
> > > > > > skipped?
> User "simo" creates /dev/shm/1000/ even though 1000 is the UID of user
> "lennart". Lennart can never start PA again, ever. And can't do anything
> about it, because "simo" is in control, and /dev/shm is sticky.
Why the UID has to be encoded in the name?
* The application can simply issue an lstat() before open() and skip
files with wrong uid's.
* Obviously, an attacker could try and trigger some race condition on
the name, but than it's OK for the audit to shout about it.
What am I missing?
--
Oron Peled Voice: +972-4-8228492
oron at actcom.co.il http://users.actcom.co.il/~oron
You know, someone once told me that New York has more lawyers than people.
-- Warren Buffett, Fortune, 1999
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130608/2dbc233d/attachment.html>
More information about the devel
mailing list