[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

[linux-security] Re: Programming ...

From: Tollef Fog Heen <tollef add no>
To: linux-security redhat com
Subject: [linux-security] Re: Programming ...
Date: 27 Nov 1999 23:05:19 +0100

Just some small comments on opening files.

Wade Maxfield <maxfield ctelcom net> writes:

> If a perp can create a symlink to a file that a daemon is
> about to delete (such as in a tmp directory), he may get /etc/hosts.deny
> deleted through the daemon not checking.

Please note that according to:
UNLINK(2)           Linux Programmer's Manual           UNLINK(2)

unlink does _not_ follow symlinks:

       If  the  name  referred  to  a  symbolic  link the link is
       removed.

So, using unlink on a symbolic link is _not_ harmful.

Be sure to set your umask. Don't trust the user starting the
program. Clear your environment, or at least don't trust it. Be sure
to set your path to something trusted.

If this thing is going to be programmed in C, the "correct" way to
create a file is:

open("filename",O_CREAT|O_EXCL|O_WRONLY,whatever_permissions_you_want);

(change O_WRONLY to O_RDWR if you want to read from the file)

Please note that this is _not_ secure over NFS (as the man 2 open page
says), but there is another way (see open(2) man page).

To open an existing file you can do:

open("filename",O_RDWR|O_NOFOLLOW);

This requires kernel 2.1.126 and glibc >= 2.0.100. Else you can use 

lstat("filename", statbuf_1);
fd = open("filename", O_RDWR);
fstat(fd,statbuf_2);

if (stabuf_1.ino_t != statbuf_2.ino_t) /* differing inode? */ {
	log_this_error;
	exit_gracefully_or_error_recovery;
}

Of course, the proper way to do this is a non-shared tmp
directory. This can also be done using a mkdir in /tmp. mkdir does not
follow dangling symlinks.

Also: _Always_, check the return value of each and every function
call. Prepare for unexpected input. Comment your code. This does it
easier for others to see what you intended your code to do.

Read the faq in comp.security.unix and
<URL:ftp://ftp.auscert.org.au/pub/auscert/papers/secure_programming_checklist>
<URL:http://seclab.cs.ucdavis.edu/%257Ebishop/classes/ecs153-98-winter/robust.html>
<URL:http://seclab.cs.ucdavis.edu/%257Ebishop/scriv/>
<URL:http://www.dnaco.net/%257Ekragen/security-holes.html>
<URL:http://www.homeport.org/%257Eadam/review.html>

-- 

Tollef Fog Heen
Unix _IS_ user friendly... It's just selective about who its friends are.

Follow-Ups:
- [linux-security] Re: Programming ...
  - From: Zygo Blaxell

References:
- [linux-security] Re: Programming ...
  - From: Wade Maxfield

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]