> 1. Non-privileged process A running as user Alice creates a file
> called /tmp/ipc.
> 2. A signals to privileged process B, running as root, that the file exists.
> 3. Malevolent process C, running as user Eve, notices the file,
> unlinks it (which it can do due to the permissions on /tmp) and
> creates a new one in its place with its own preferred contents.
> 4. B performs its action on the newly-replaced file contents.

I debated whether I should mention my technique thinking someone might
bring up this precise vulnerability. :)

My rationale is based on the fact the BetterAuthorizationSample is
also vulnerable to a similar attack: some malicious code is running in
the background, and at just the right instant replaces the genuine
tool with a malicious one, and the malicious tool gets root
privileges. Granted, our cases are quite different: mine is completely
preventable by using an IPC mechanism that avoids the filesystem, as
you mentioned. But alas, I sided with the "if they want it bad
enough..." line of thinking.

David
_______________________________________________

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Reply via email to