From: "H. Peter Anvin" <hpa@zytor.com>
To: Brent Casavant <bcasavan@sgi.com>
Cc: linux-kernel@vger.kernel.org
Subject: Re: O_NOLINK for open()
Date: Wed, 12 Sep 2007 14:07:52 -0700 [thread overview]
Message-ID: <46E85528.3010405@zytor.com> (raw)
In-Reply-To: <20070912144128.D5573@pkunk.americas.sgi.com>
Brent Casavant wrote:
>
> I could mmap a temporary tmpfs file (tmpfs so that if there is a
> machine crash no sensitive data persists) which is created with
> permissions of 0, immediately unlink it, and pass the file
> descriptor through an AF_UNIX socket. This does open up a very
> small window of vulnerability if another process is able to chmod
> the file and open it before the unlink.
>
To avoid this window, typically one creates a temporary directory first,
with 0700 permissions. Make sure you verify that you actually created
the directory, and watch out for symlink attacks. Then you create the
file in that directory.
This doesn't prevent another process owned by the same user (or root)
from attaching, but such a process can ptrace you or touch yoour /proc
spaec just as well, so you're screwed anyway (modulo SELinux-type policies.)
> However, it occurs to me that this problem goes away if there were
> a method create a file in an unlinked state to begin with. However
> there does not appear to be any such mechanism in Linux's open()
> interface. A bit of Googling indicates that Hurd has an O_NOLINK
> flag which seems to accomplish what I'd need, but Linux doesn't
> implement such a flag. There was some discussion of this in various
> lkml threads in the past, but none that went anywhere. Perhaps
> the best an explaining why other mechanisms (i.e. directories
> with particular permissions aren't a solution) is:
>
> http://marc.info/?l=linux-kernel&m=93032806224160&w=2
>
This link talks about file flags handling. I don't see the relevance to
this problem at all. However, this is a very long thread, so if there
is anything specific that you want to point to, then please elucidate.
> Of course it is reasonable to take the stance that if root or the
> daemon's user are malicious, all bets are off anyway.
Yup, see above.
-hpa
next prev parent reply other threads:[~2007-09-12 21:09 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-09-12 20:37 O_NOLINK for open() Brent Casavant
2007-09-12 21:07 ` H. Peter Anvin [this message]
2007-09-12 21:39 ` Brent Casavant
2007-09-12 21:46 ` H. Peter Anvin
2007-09-12 21:42 ` Andreas Schwab
2007-09-12 22:44 ` Brent Casavant
2007-09-12 22:49 ` Al Viro
2007-09-12 23:27 ` Brent Casavant
2007-09-12 23:48 ` Brent Casavant
2007-09-14 16:37 ` Goswin von Brederlow
2007-09-13 10:08 ` Gabor Gombas
2007-09-13 16:05 ` Brent Casavant
[not found] <92Haf-7z7-5@gated-at.bofh.it>
2007-09-12 22:33 ` Bodo Eggert
2007-09-13 9:13 ` Jan Kara
2007-09-14 9:07 ` Bodo Eggert
[not found] ` <92TO5-246-1@gated-at.bofh.it>
[not found] ` <92Zqu-2ur-1@gated-at.bofh.it>
2007-09-14 10:30 ` Bodo Eggert
2007-09-14 10:50 ` Andreas Schwab
2007-09-14 17:26 ` Bodo Eggert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46E85528.3010405@zytor.com \
--to=hpa@zytor.com \
--cc=bcasavan@sgi.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox