Solar Designer <solaropenwall.com> writes:
>
> I think there's a third approach: remember the full path and chdir()
> to it rather than chdir(".."). Unfortunately, this is also DoS'able.

This is still not safe: the attacker could have put a symlink in the
full path that you remembered. We really need a chdir() that never
cross symlinks...

> Could you share the patch with us?

The full patch was rather long because it contained bug fixes and
enhancements. I enclose below the subset for this problem.

As a result of our discussion, it appears that a better solution
(e.g. using fchdir() when available) is needed. I'll try to find some
time to make a better patch.

> I hope to release the Owl preview next month.

Great! I'm eager to see it...

> There's nothing too exciting in our findutils package, we simply took
> the patch from this Bugtraq post:
>
> http://marc.theaimsgroup.com/?l=bugtraq&m=87930069226479&w=2
>
> but I'll attach the two patches against 4.1.5 that we have in the
> package.

Thanks. I'll have a deeper look at them now.

________________________________________________________
Lionel Cons http://home.cern.ch/~cons
CERN http://www.cern.ch
 
For every complex problem, there is a solution that is simple, neat, and
wrong.
        - H. L. Mencken

diff -Naur findutils-4.1.6/find/find.c findutils-4.1.6-1/find/find.c
--- findutils-4.1.6/find/find.c Wed Apr 12 10:15:40 2000
+++ findutils-4.1.6-1/find/find.c Thu Mar 29 16:28:42 2001
-1,4 +1,4
-/* find -- search for files in a directory hierarchy
+S/* find -- search for files in a directory hierarchy
    Copyright (C) 1990, 91, 92, 93, 94, 2000 Free Software Foundation, Inc.
 
    This program is free software; you can redistribute it and/or modify
-445,6 +445,7
 {
   char *name_space; /* Names of files in PATHNAME. */
   int subdirs_left; /* Number of unexamined subdirs in PATHNAME. */
+ struct stat stat_buf;
 
   subdirs_left = statp->st_nlink - 2; /* Account for name and ".". */
 
-483,6 +484,15
           return;
         }
 
+ /* Check that we are where we should be. */
+ if (lstat(".", &stat_buf))
+ error (1, errno, "lstat %s/.", pathname);
+ if (stat_buf.st_dev != dir_ids[dir_curr].dev ||
+ stat_buf.st_ino != dir_ids[dir_curr].ino)
+ error (1, 0, "oops, got lost under %s %d:%d != %d:%d", pathname,
+ stat_buf.st_dev, stat_buf.st_ino,
+ dir_ids[dir_curr].dev, dir_ids[dir_curr].ino);
+
       for (namep = name_space; *namep; namep += file_len - pathname_len + 1)
         {
           /* Append this directory entry's name to the path being searched. */
-537,6 +547,18
               if (fchdir (starting_desc) || chdir (parent))
                 error (1, errno, "%s", parent);
 #endif
+ }
+
+ if (dir_curr > 0)
+ {
+ /* Check that we are where we should be. */
+ if (lstat(".", &stat_buf))
+ error (1, errno, "lstat %s/.", parent);
+ if (stat_buf.st_dev != dir_ids[dir_curr-1].dev ||
+ stat_buf.st_ino != dir_ids[dir_curr-1].ino)
+ error (1, 0, "oops, got lost under %s %d:%d != %d:%d", parent,
+ stat_buf.st_dev, stat_buf.st_ino,
+ dir_ids[dir_curr-1].dev, dir_ids[dir_curr-1].ino);
             }
         }
 

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]