On Tue, 11 Jun 2002, Muli Ben-Yehuda wrote:
> > > Because I'm doing it as part of syscalltrack's test suite, and it > > > needs to be a fixed name so that I'll be able to make rules to match > > > on it. We do support pattern matching, so I could use mkstemp() with a > > > fixed template, but I would like to test our '==' operator, not just > > > '=~'. > > > > who might 'pull the file below our feet'? > > An attacker. Since the tests must be run as root, I would hate to see > us featured on bugtraq one day. Remember, just because I'm paranoid > doesn't mean they aren't after me. which means, you need to fix the root of the problem (why we create files in publically accessible directories in the first place) - not the symptom. > > what i'd suggest (pitty we didn't do that long ago) is create a directory, > > chdir to it, and in _that_ directory perform all of the testing. this way, > > you could eventually just recursively remove the directory during > > cleanup. > > I have a patch implementing this already written. However, it doesn't > protect us from the synlink attack. why not? you may do the following check: 'stat' the curernt dir. if its owned by root, and its parent dir is also owned by root, and both dirs are only writeable for root, then go on with the test. otherwise, complain and exit. this should be race safe, since if the directories had this structure, a non-root user couldn't replace the current dir with one he can manipulate. > > for mode changing, there is 'fchmod'. for exec, there is 'fexecv'. but > > there is no 'funlink', i'm afraid. > > I know. Seems like a rather glaring ommision in unixish design. can't be done without a redesign of the file system structs, it seems. check the following: http://archives.neohapsis.com/archives/linux/lsap/2001-q1/0157.html and read the posts that follow it (e.g. http://archives.neohapsis.com/archives/linux/lsap/2001-q1/0158.html ). -- guy "For world domination - press 1, or dial 0, and please hold, for the creator." -- nob o. dy ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
