Path: utzoo!attcan!uunet!husc6!ddl
From: ddl@husc6.harvard.edu (Dan Lanciani)
Newsgroups: news.admin
Subject: Re: mkdir() and security hole   *****FIX****
Keywords: mkdir hole fix
Message-ID: <855@husc6.harvard.edu>
Date: 18 Dec 88 04:43:17 GMT
References: <9466@merch.TANDY.COM> <851@husc6.harvard.edu> <10048@merch.TANDY.COM>
Organization: Harvard University, Cambridge MA
Lines: 57

In article <10048@merch.TANDY.COM>, doug@letni.UUCP writes:
| In article <851@husc6.harvard.edu> ddl@husc6.harvard.edu (Dan Lanciani) writes:
| >
| >	The proposed mkdir replacement does not solve the problem.  I
| >do not know if it introduces additional problems of its own, but I
| >would not recommend running it since the gain in security is minimal.
| >I will not describe in detail the variation required to subvert the
| >mkdir replacement, but consider the interval immediately before its
| >chown() call. 
| Before you go bashing peoples code with induendos[sic] about how it supposably
| does not work, why don't you do the author(s) a favor and send them 
| either private mail, or call them on the phone.  Since its very
| easy to say %s program doesn't work and you shouldn't run it, and I won't
| go into why.

	I didn't say that the program doesn't work.  I merely said that
it does not solve the problem that it sets out to solve and that I
do not *know* that it does not create additional problems of its own.
Considering the sensitivity of the issue and that fact that the replacement
mkdir was made public, it seems appropriate that criticism of it also
be made public.  You will also probably be better off when someone decides
to sue you for providing a "Secure mkdir program, solves that nasty
race problem..." that really isn't/doesn't.:)  I.e., you can say s/he
had some warning...

| It makes me wonder if either my program really does have
| a problem, in which case I do need to know, or you didn't pay enough
| attention to how the program ran.  Especially the area immediately before
| and right after the chown() call, look at what directory is getting
| chown'ed and what permissions it's parent has.

	I'm not sure what you mean by "need to know," but since
the problem can't be fixed using the approach in the proposed
replacement it wouldn't help.

| So my advice to the net is to make your own discisions[sic] on what to run
| the original /bin/mkdir  Which does have a problem. My mkdir which
| might have a problem, or it might not, but either way is more secure
| than /bin/mkdir. 

	Alternately, someone on the net might be able to write
a secure mkdir based on the outline I presented.

| I really don't think that there is a problem with even posting 
| a way to get around my mkdir, since its not the standard mkdir
| program, and undoubtably will not have the same security problems.

	On the contrary, it has exactly the same problem as
the standard mkdir and the techniques required to exploit
that problem are just those that would make it even easier
(i.e., quicker, less time sensitive) to subvert the standard
mkdir.

				Dan Lanciani
				ddl@harvard.*

PS: I don't read news.admin, so I may miss future followups...