Xref: utzoo news.admin:4346 news.software.b:1807 comp.bugs.sys5:716 comp.bugs.misc:193 Path: utzoo!attcan!uunet!husc6!bloom-beacon!mit-eddie!killer!vector!rpp386!jfh From: jfh@rpp386.Dallas.TX.US (The Beach Bum) Newsgroups: news.admin,news.software.b,comp.bugs.sys5,comp.bugs.misc Subject: Re: mkdir() and security hole ***** ONE-LINE FIX !! **** Summary: Nope, this doesn't do it either. Message-ID: <10284@rpp386.Dallas.TX.US> Date: 22 Dec 88 06:12:36 GMT References: <9466@merch.TANDY.COM> <851@husc6.harvard.edu> <10115@rpp386.Dallas.TX.US> <379@skep2.ATT.COM> Reply-To: jfh@rpp386.Dallas.TX.US (The Beach Bum) Organization: Big "D" Home for Wayward Hackers Lines: 22 In article <379@skep2.ATT.COM> wcs@skep2.UUCP (46323-Bill.Stewart.[ho95c],2G218,x0705,) writes: >nice(-255); /* always win race condition - fixes security bug */ > /* nice(-255) is not very nice, but root has its privileges */ > /* works with official mkdir and Doug's */ Nope, this fails. Consider - nice() does not insure you are always first, it only insures that you are preferred. After some period of execution, the priority of the process will drop low enough for the user to slip in. Instead of doing a single directory per mkdir, stuff the command line FULL of directories. Also, the lowest NICE is 0. The default NICE is 20. This only means that proc.p_cpu for your mkdir process needs to be 20 more than p_cpu for the bad guys process. One full second of execution should do this. Once that is accomplished, the bad guy should be able to slip in between. A C program may be needed to get the timing information correct, but it should be VERY possible. -- John F. Haugh II +-Quote of the Week:------------------- VoiceNet: (214) 250-3311 Data: -6272 |"Unix doesn't have bugs, InterNet: jfh@rpp386.Dallas.TX.US | Unix is a bug" UucpNet : !killer!rpp386!jfh +-- -- author forgotten --