Re: dynamic /dev security hole?

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Michael Buesch <mbuesch@freenet.de>
To: Eric Lammerts <eric@lammerts.org>
Cc: Albert Cahalan <albert@users.sf.net>, Greg KH <greg@kroah.com>,
	Marc Ballarin <Ballarin.Marc@gmx.de>,
	albert@users.sourceforge.net,
	linux-kernel mailing list <linux-kernel@vger.kernel.org>
Subject: Re: dynamic /dev security hole?
Date: Mon, 9 Aug 2004 19:14:16 +0200	[thread overview]
Message-ID: <200408091914.19412.mbuesch@freenet.de> (raw)
In-Reply-To: <Pine.LNX.4.58.0408091302010.9426@vivaldi.madbase.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Quoting Eric Lammerts <eric@lammerts.org>:
> Better not do it for symlinks.

Yes, you're right.

===== udev-remove.c 1.31 vs edited =====
- --- 1.31/udev-remove.c	2004-04-01 04:12:56 +02:00
+++ edited/udev-remove.c	2004-08-09 19:12:55 +02:00
@@ -65,6 +65,41 @@
 	return 0;
 }
 
+/** Remove all permissions on the device node, before
+  * unlinking it. This fixes a security issue.
+  * If the user created a hard-link to the device node,
+  * he can't use it any longer, because he lost permission
+  * to do so.
+  */
+static int secure_unlink(const char *filename)
+{
+	int retval;
+
+	retval = chown(filename, 0, 0);
+	if (retval) {
+		dbg("chown(%s, 0, 0) failed with error '%s'",
+		    filename, strerror(errno));
+		/* We continue nevertheless.
+		 * I think it's very unlikely for chown
+		 * to fail here, if the file exists.
+		 */
+	}
+	retval = chmod(filename, 0000);
+	if (retval) {
+		dbg("chmod(%s, 0000) failed with error '%s'",
+		    filename, strerror(errno));
+		/* We continue nevertheless. */
+	}
+	retval = unlink(filename);
+	if (errno == ENOENT)
+		retval = 0;
+	if (retval) {
+		dbg("unlink(%s) failed with error '%s'",
+			filename, strerror(errno));
+	}
+	return retval;
+}
+
 static int delete_node(struct udevice *dev)
 {
 	char filename[NAME_SIZE];
@@ -79,14 +114,9 @@
 	strfieldcat(filename, dev->name);
 
 	info("removing device node '%s'", filename);
- -	retval = unlink(filename);
- -	if (errno == ENOENT)
- -		retval = 0;
- -	if (retval) {
- -		dbg("unlink(%s) failed with error '%s'",
- -			filename, strerror(errno));
+	retval = secure_unlink(filename);
+	if (retval)
 		return retval;
- -	}
 
 	/* remove partition nodes */
 	if (dev->partitions > 0) {
@@ -94,7 +124,7 @@
 		for (i = 1; i <= dev->partitions; i++) {
 			strfieldcpy(partitionname, filename);
 			strintcat(partitionname, i);
- -			unlink(partitionname);
+			secure_unlink(partitionname);
 		}
 	}
 

- -- 
Regards Michael Buesch  [ http://www.tuxsoft.de.vu ]


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBF7DoFGK1OIvVOP4RAklbAJ0QXZkfiDOExHqTXpue+mKJCeIBHwCgwzAa
3V4LF0jNgiDyXbm6rw4wxqI=
=wXmk
-----END PGP SIGNATURE-----

next prev parent reply	other threads:[~2004-08-09 17:15 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-08-08 12:47 dynamic /dev security hole? Albert Cahalan
2004-08-08 15:58 ` Marc Ballarin
2004-08-08 15:04   ` Albert Cahalan
2004-08-08 20:42     ` Greg KH
2004-08-08 16:21   ` Greg KH
2004-08-08 21:43     ` Marc Ballarin
2004-08-08 22:07     ` Marc Ballarin
2004-08-09  4:40       ` Eric Lammerts
2004-08-09 13:30         ` Michael Buesch
2004-08-09 13:19           ` Albert Cahalan
2004-08-09 16:54             ` Michael Buesch
2004-08-09 17:04               ` Eric Lammerts
2004-08-09 17:14                 ` Michael Buesch [this message]
2004-08-10  0:21                   ` Greg KH
2004-08-11 17:12             ` [RFC, PATCH] sys_revoke(), just a try. (was: Re: dynamic /dev security hole?) Michael Buesch
2004-08-12 16:49               ` Michael Buesch
2004-08-12 19:51                 ` Alan Cox
2004-08-12 19:39                   ` Albert Cahalan
2004-08-13 12:39                   ` Michael Buesch
2004-08-09 14:49         ` dynamic /dev security hole? Alan Cox
2004-08-09 16:17           ` Eric Lammerts
2004-08-09 15:33             ` Alan Cox
2004-08-09 16:47               ` Eric Lammerts
2004-08-09 17:54                 ` Alan Cox
2004-08-10  0:21       ` Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200408091914.19412.mbuesch@freenet.de \
    --to=mbuesch@freenet.de \
    --cc=Ballarin.Marc@gmx.de \
    --cc=albert@users.sf.net \
    --cc=albert@users.sourceforge.net \
    --cc=eric@lammerts.org \
    --cc=greg@kroah.com \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox