[krbdev.mit.edu #6289] replay cache is insecurely handled

Zhanna Tsitkova via RT rt-comment at krbdev.mit.edu
Thu Dec 4 13:57:04 EST 2008 

diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/krb5/rcache/rc_io.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/krb5/rcache/rc_io.c
--- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/krb5/rcache/rc_io.c	2008-11-20 14:26:58.000000000 -0800
+++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/krb5/rcache/rc_io.c	2008-11-20 14:28:08.000000000 -0800
@@ -223,7 +223,7 @@
     krb5_error_code retval = 0;
     int do_not_unlink = 1;
 #ifndef NO_USERID
-    struct stat statb;
+    struct stat sb1, sb2;
 #endif
     char *dir;
     size_t dirlen;
@@ -239,24 +239,50 @@
 
 #ifdef NO_USERID
     d->fd = THREEPARAMOPEN(d->fn, O_RDWR | O_BINARY, 0600);
+    if (d->fd == -1) {
+	retval = rc_map_errno(context, errno, d->fn, "open");
+	goto cleanup;
+    }
 #else
-    if ((d->fd = stat(d->fn, &statb)) != -1) {
-	uid_t me;
-
-	me = geteuid();
-	/* must be owned by this user, to prevent some security problems with
-	 * other users modifying replay cache stufff */
-	if ((statb.st_uid != me) || ((statb.st_mode & S_IFMT) != S_IFREG)) {
-	    FREE(d->fn);
-	    return KRB5_RC_IO_PERM;
-	}
-	d->fd = THREEPARAMOPEN(d->fn, O_RDWR | O_BINARY, 0600);
+    d->fd = -1;
+    retval = lstat(d->fn, &sb1);
+    if (retval != 0) {
+	retval = rc_map_errno(context, errno, d->fn, "lstat");
+	goto cleanup;
     }
-#endif
-    if (d->fd == -1) {
+    d->fd = THREEPARAMOPEN(d->fn, O_RDWR | O_BINARY, 0600);
+    if (d->fd < 0) {
 	retval = rc_map_errno(context, errno, d->fn, "open");
 	goto cleanup;
     }
+    retval = fstat (d->fd, &sb2);
+    if (retval < 0) {
+	retval = rc_map_errno(context, errno, d->fn, "fstat");
+	goto cleanup;
+    }
+    /* check if someone was playing with symlinks */
+    if ((sb1.st_dev != sb2.st_dev || sb1.st_ino != sb2.st_ino)
+	|| (sb1.st_mode & S_IFMT) != S_IFREG)
+    {
+	retval = KRB5_RC_IO_PERM;
+	krb5_set_error_message(context, retval,
+			       "rcache not a file %s", d->fn);
+	goto cleanup;
+    }
+    /* check that non other can read/write/execute the file */
+    if (sb1.st_mode & 077) {
+	krb5_set_error_message(context, retval, "Insecure file mode "
+			       "for replay cache file %s", d->fn);
+	return KRB5_RC_IO_UNKNOWN;
+    }
+    /* owned by me */
+    if (sb1.st_uid != geteuid()) {
+	retval = KRB5_RC_IO_PERM;
+	krb5_set_error_message(context, retval, "rcache not owned by %d",
+			       (int)geteuid());
+	goto cleanup;
+    }
+#endif
     set_cloexec_fd(d->fd);
 
     do_not_unlink = 0;

More information about the krb5-bugs mailing list