[krbdev.mit.edu #3499] race in replay cache file ownership
Roland C. Dowdeswell via RT
rt-comment at krbdev.mit.edu
Tue Mar 7 15:38:31 EST 2006
In the replay cache code, in krb5_rc_io_open() there is the following
logic:
if ((d->fd = stat(d->fn, &statb)) != -1) {
uid_t me;
me = geteuid();
/* must be owned by this user, to prevent some security problems with
* other users modifying replay cache stufff */
if ((statb.st_uid != me) || ((statb.st_mode & S_IFMT) != S_IFREG)) {
FREE(d->fn);
return KRB5_RC_IO_PERM;
}
d->fd = THREEPARAMOPEN(d->fn, O_RDWR | O_BINARY, 0600);
}
This is wrong and has a race between the stat(2) and the open. The
correct way to do this is:
d->fd = THREEPARAMOPEN(d->fn, O_RDWR | O_BINARY, 0600);
ret = fstat(d->fd, &statb);
.
.
.
I.e. fstat(2) the actual open fd in order to avoid the race.
Thanks,
--
Roland Dowdeswell http://www.Imrryr.ORG/~elric/
More information about the krb5-bugs
mailing list