From: Michael Buesch <mbuesch@freenet.de>
To: Albert Cahalan <albert@users.sf.net>, Greg KH <greg@kroah.com>
Cc: Eric Lammerts <eric@lammerts.org>,
Marc Ballarin <Ballarin.Marc@gmx.de>,
albert@users.sourceforge.net,
linux-kernel mailing list <linux-kernel@vger.kernel.org>
Subject: Re: dynamic /dev security hole?
Date: Mon, 9 Aug 2004 18:54:24 +0200 [thread overview]
Message-ID: <200408091854.27019.mbuesch@freenet.de> (raw)
In-Reply-To: <1092057570.5761.215.camel@cube>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Quoting Albert Cahalan <albert@users.sf.net>:
> Pretty much, but you must change ownership first to
> keep the user from changing the mode back. There are
> ways for an evildoer to win this race if you don't
> change the ownership first.
>
> Now all we need is revoke() and we're all set.
> Ordering: chown, chmod, revoke, unlink
>
> BTW, I'm make revoke() just force re-verification
> of file access.
So what about this updated patch?
I'm running latest udev with klibc and my patch.
It seems to work. At least with my USB stick. :)
Greg? Any comments?
===== udev-remove.c 1.31 vs edited =====
- --- 1.31/udev-remove.c 2004-04-01 04:12:56 +02:00
+++ edited/udev-remove.c 2004-08-09 18:42:08 +02:00
@@ -65,6 +65,41 @@
return 0;
}
+/** Remove all permissions on the device node, before
+ * unlinking it. This fixes a security issue.
+ * If the user created a hard-link to the device node,
+ * he can't use it any longer, because he lost permission
+ * to do so.
+ */
+static int secure_unlink(const char *filename)
+{
+ int retval;
+
+ retval = chown(filename, 0, 0);
+ if (retval) {
+ dbg("chown(%s, 0, 0) failed with error '%s'",
+ filename, strerror(errno));
+ /* We continue nevertheless.
+ * I think it's very unlikely for chown
+ * to fail here, if the file exists.
+ */
+ }
+ retval = chmod(filename, 0000);
+ if (retval) {
+ dbg("chmod(%s, 0000) failed with error '%s'",
+ filename, strerror(errno));
+ /* We continue nevertheless. */
+ }
+ retval = unlink(filename);
+ if (errno == ENOENT)
+ retval = 0;
+ if (retval) {
+ dbg("unlink(%s) failed with error '%s'",
+ filename, strerror(errno));
+ }
+ return retval;
+}
+
static int delete_node(struct udevice *dev)
{
char filename[NAME_SIZE];
@@ -79,14 +114,9 @@
strfieldcat(filename, dev->name);
info("removing device node '%s'", filename);
- - retval = unlink(filename);
- - if (errno == ENOENT)
- - retval = 0;
- - if (retval) {
- - dbg("unlink(%s) failed with error '%s'",
- - filename, strerror(errno));
+ retval = secure_unlink(filename);
+ if (retval)
return retval;
- - }
/* remove partition nodes */
if (dev->partitions > 0) {
@@ -94,7 +124,7 @@
for (i = 1; i <= dev->partitions; i++) {
strfieldcpy(partitionname, filename);
strintcat(partitionname, i);
- - unlink(partitionname);
+ secure_unlink(partitionname);
}
}
@@ -108,14 +138,9 @@
strfieldcat(filename, linkname);
dbg("unlinking symlink '%s'", filename);
- - retval = unlink(filename);
- - if (errno == ENOENT)
- - retval = 0;
- - if (retval) {
- - dbg("unlink(%s) failed with error '%s'",
- - filename, strerror(errno));
+ retval = secure_unlink(filename);
+ if (retval)
return retval;
- - }
if (strchr(dev->symlink, '/')) {
delete_path(filename);
}
- --
Regards Michael Buesch [ http://www.tuxsoft.de.vu ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBF6xAFGK1OIvVOP4RArfvAJwNf/CnIZTnEvUSNu3N4WI3tkqBOwCfe4B8
sM+KFpEX2PuDKsqcjTO9pV8=
=rd9Y
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2004-08-09 16:58 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-08-08 12:47 dynamic /dev security hole? Albert Cahalan
2004-08-08 15:58 ` Marc Ballarin
2004-08-08 15:04 ` Albert Cahalan
2004-08-08 20:42 ` Greg KH
2004-08-08 16:21 ` Greg KH
2004-08-08 21:43 ` Marc Ballarin
2004-08-08 22:07 ` Marc Ballarin
2004-08-09 4:40 ` Eric Lammerts
2004-08-09 13:30 ` Michael Buesch
2004-08-09 13:19 ` Albert Cahalan
2004-08-09 16:54 ` Michael Buesch [this message]
2004-08-09 17:04 ` Eric Lammerts
2004-08-09 17:14 ` Michael Buesch
2004-08-10 0:21 ` Greg KH
2004-08-11 17:12 ` [RFC, PATCH] sys_revoke(), just a try. (was: Re: dynamic /dev security hole?) Michael Buesch
2004-08-12 16:49 ` Michael Buesch
2004-08-12 19:51 ` Alan Cox
2004-08-12 19:39 ` Albert Cahalan
2004-08-13 12:39 ` Michael Buesch
2004-08-09 14:49 ` dynamic /dev security hole? Alan Cox
2004-08-09 16:17 ` Eric Lammerts
2004-08-09 15:33 ` Alan Cox
2004-08-09 16:47 ` Eric Lammerts
2004-08-09 17:54 ` Alan Cox
2004-08-10 0:21 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200408091854.27019.mbuesch@freenet.de \
--to=mbuesch@freenet.de \
--cc=Ballarin.Marc@gmx.de \
--cc=albert@users.sf.net \
--cc=albert@users.sourceforge.net \
--cc=eric@lammerts.org \
--cc=greg@kroah.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox