p5pRT
commented
25 years ago From thospel@mail.dma.be
On Thu\, Mar 30\, 2000 at 04:46:57AM -0800\, Mike Giroux wrote:
Notice that I like the idea of Tom's proposal\, but it's flawed since it has an intrinsic race condition\, in that the file test for the decision of
magic open happens before the open itself. So make sure the magic file does not exist when the * expansion happens\, does not exist when the magic test is done\, and exists again when finally the magic is executed. Using classical tricks with symlinks and fifo's you can make this race as big as you want.
(If you're logged in\, or have full disk access)
So Tom's proposal gives only mock security\, and I currently see no way to save it.
I have a different view of the world\, I guess.
As I see it\, Tom's fix would a) not break anything and b) stop someone who can ONLY control a filename created on the disk from messing things up.
Since applying the fix would at least increase the access required to cause a problem (to "able to create a file" _and_ "able to remove the file")\, I think it's worth doing.
As it stands\, any bad CGI script out there that lets users pick (or influence) the file name that "something" is stored as\, and only checks for .'s and /'s in its taint checks could be exploited because of an interaction with this bug.
Why not apply Tom's fix\, which doesn't hurt anyone\, and then debate better approaches later?
I'm not disagreeing with you about the need for a better approach\, BTW\, or about Tom's fix being incomplete. But it's better than nothing\, and doesn't break anything. So why not??
Because it gives a false sense of security. Once a race exists\, it's then only a matter of finding an appropiate way to exploit it.
And tom's fix DOES break using magic from the command line. Some very rare people use it\, and if you know yor system manager is of that type\, you can go for a denial of service again. Sure\, pretty rare\, but I don't like to stop ANY valid use for a security fix that only solves PART of the problem.
(The false sense of security thing is of course a matter of opinion\, so I won't react to further posts that discuss this aspect of the problem. This is a judgement call for the pumpkin (still trying to keep this thread from exploding))
Notice that in the scenario you mention I can still break the program using my other trick (the file starting with -e). So if you thought your scenario was safe\, you just lost control of your web server.
And fixing THAT one with a file access check suddenly makes VALID programs sensitive to denial of service\, which I think is completely unacceptable.
Migrated from rt.perl.org#2864 (status was 'resolved')
Searchable as RT2864$