Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1995_3

Bugtraq archives for 3rd quarter (Jul-Aug) 1995: Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10 /tmp/.lsof_dev_cache

Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10 /tmp/.lsof_dev_cache

der Mouse (mouseCollatz.McRCIM.McGill.EDU)
Tue, 29 Aug 1995 20:18:53 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: *Hobbit*: "syslog"
Previous message: Christian Wettergren: "Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995"
Next in thread: Dr. Frederick B. Cohen: "Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10 /tmp/.lsof_dev_cache"

> If I left the impression that I was confident this isn't a potential
> security hazard, I was foolish.  I worried about it when I installed
> the feature, I was worried enough about it to accompany it with
> documentation, and I'm still worried about it.  However, in my
> opinion the performance payoff is just too great to ignore having
> this feature.  I've tried as hard as I know to make it as safe as
> possible.

Well, I think I would prefer one file per invoking UID, mode 600 owned
by that user, and when opening it you should be very paranoid.
Something like:

        - lstat() it
        - if it's nonexistent
                - open with O_EXCL|O_CREAT
                - fstat() the fd
                - lstat() it again
                - make sure the two stat structures agree, and that the
                   lstat() didn't indicate a symlink
        - else, it exists, so
                - make sure it's not a symlink, expected owner and mode
                - open without O_EXCL or O_CREAT
                - if the open failed with ENOENT, go back to the top
                   (perhaps put a (small) retry count limit on this?)
                - fstat() the fd
                - make sure it matches the first lstat()

Of course, this should all be done after permanently discarding all
privilege (which should have been done very early in startup, right
after opening /dev/kmem and whatever else is needed).

I think the running-as-root case is important enough, and root needs an
especially trustworthy lsof enough, that even if all other users share
a cache file, root should have its own, and it should be mode 600.

Of course, that's just my opinion.  And I don't have patches to back it
up, so to speak....

                                        der Mouse

                            mousecollatz.mcrcim.mcgill.edu

Next message: *Hobbit*: "syslog"
Previous message: Christian Wettergren: "Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995"
Next in thread: Dr. Frederick B. Cohen: "Re: -rw-rw-rw- 1 root 8025 Aug 24 04:10 /tmp/.lsof_dev_cache"