Xref: utzoo news.admin:4340 news.software.b:1805 comp.bugs.sys5:713 comp.bugs.misc:191
Path: utzoo!attcan!uunet!yale!husc6!ddl
From: ddl@husc6.harvard.edu (Dan Lanciani)
Newsgroups: news.admin,news.software.b,comp.bugs.sys5,comp.bugs.misc
Subject: Re: mkdir() and security hole   ***** ONE-LINE FIX !! ****
Keywords: spoiler - helps both AT&T and Public domain mkdirs.
Message-ID: <871@husc6.harvard.edu>
Date: 22 Dec 88 03:26:03 GMT
References: <9466@merch.TANDY.COM> <851@husc6.harvard.edu> <379@skep2.ATT.COM>
Organization: Harvard University, Cambridge MA
Lines: 38

In article <379@skep2.ATT.COM>, wcs@skep2.ATT.COM (Bill.Stewart.[ho95c]) writes:
| nice(-255);	/* always win race condition  - fixes security bug */
| 		/* nice(-255) is not very nice, but root has its privileges */
| 		/* works with official mkdir and Doug's */
| 
| The original articles in news.admin pointed out a race
| condition in the /bin/mkdir used by V7 and System V
| older releases.  (mkdir runs setuid root, mknod's a
| directory then chowns it to getuid() - if you're fast you
| can rmdir the directory and ln /etc/passwd, especially if
| you nice -19 mkdir.)  Doug Davis posted a public-domain
| mkdir which he claimed fixed the problem.  Other people have
| pointed out that it helps, but doesn't prevent the race
| condition, and it's free source for people who only have
| binary systems.
| 
| Put a nice(-255) as the first line of your mkdir, and you'll
| "never" lose the race!!  The race condition worked, because
| on a loaded system, you could guarantee that sometimes your
| rm-and-link hack would happen between the mknod() and the chown(),
| as long as you ran the mkdir niced so it had a low priority.

	Unfortunately, this analysis is incorrect.  The real window
occurs while the mkdir process is blocked on disk I/O to, e.g., look
up elements of the path name of the file to chown().  No matter how
good a priority the process has, other processes will run while it
waits for the disk.  In fact, it is doubtful that you would ever
see the mkdir attack succeed if it actually required that the system
preempt the mkdir process "between" the mknod() and the chown().  Tests
with a well-crafted mkdir-breaker program showed that success was
nearly independent of process priority.
	Incidentally, the fix proposed by jfh@rpp386 (using dir/./.
as the target of the chown()) doesn't help either.  It was a good
try (and happened to be included in the mkdir test mentioned above)
but breaks down since link() itself is not atomic.

				Dan Lanciani
				ddl@harvard.*