Xref: utzoo news.admin:4360 news.software.b:1814 comp.bugs.sys5:723 comp.bugs.misc:200
Path: utzoo!attcan!uunet!ncrlnk!ncr-sd!hp-sdd!ucsdhub!sdcsvax!ucsd!ames!killer!rpp386!jfh
From: jfh@rpp386.Dallas.TX.US (The Beach Bum)
Newsgroups: news.admin,news.software.b,comp.bugs.sys5,comp.bugs.misc
Subject: Re: mkdir() and security hole
Summary: ... which is why the fix must either work or not matter.
Message-ID: <10326@rpp386.Dallas.TX.US>
Date: 23 Dec 88 22:17:54 GMT
References: <871@husc6.harvard.edu> <9466@merch.TANDY.COM> <851@husc6.harvard.edu> <10845@swan.ulowell.edu> <876@husc6.harvard.edu>
Reply-To: jfh@rpp386.Dallas.TX.US (The Beach Bum)
Organization: Big "D" Home for Wayward Hackers
Lines: 23

In article <876@husc6.harvard.edu> ddl@husc6.harvard.edu (Dan Lanciani) writes:
>| The real problem is mkdir trusts dirname to be the directory it just
>| created, which is not necessarily the case.  Nicing the process only
>| shrinks the window of vunlerability, but it doesn't close it.
>
>	Correct.

In the case of the posted patch which I suggested, this is immaterial.
If the directory being chown()'d is NOT the directory which was just
created, then the person doing the spoofing must have created the
bogus directory with some help by becoming root, since only root could
have made the bogus directory links.

Given THAT piece of information, it SHOULD be obvious that either the
patch works, or the bad guy was root already in which case it doesn't
matter what the hell happens.  Only root can create arbitrary directory
structures.  Only a clever manipulation of the directory structure
could cause mkdir to chown the wrong directory.
-- 
John F. Haugh II                        +-Quote of the Week:-------------------
VoiceNet: (214) 250-3311   Data: -6272  |"Unix doesn't have bugs,
InterNet: jfh@rpp386.Dallas.TX.US       | Unix is a bug"
UucpNet : <backbone>!killer!rpp386!jfh  +--              -- author forgotten --