Xref: utzoo news.admin:4357 news.software.b:1813 comp.bugs.sys5:722 comp.bugs.misc:199
Path: utzoo!attcan!uunet!mcvax!hp4nl!botter!star.cs.vu.nl!maart
From: maart@cs.vu.nl (Maarten Litmaath)
Newsgroups: news.admin,news.software.b,comp.bugs.sys5,comp.bugs.misc
Subject: mkdir plots (was: mkdir() and security hole)
Keywords: spoiler - helps both AT&T and Public domain mkdirs.
Message-ID: <1849@piraat.cs.vu.nl>
Date: 22 Dec 88 16:31:13 GMT
References: <871@husc6.harvard.edu> <9466@merch.TANDY.COM> <851@husc6.harvard.edu> <10845@swan.ulowell.edu> <876@husc6.harvard.edu>
Organization: V.U. Informatica, Amsterdam, the Netherlands
Lines: 63

ddl@husc6.harvard.edu (Dan Lanciani) writes:
\In article <10845@swan.ulowell.edu>, arosen@hawk.ulowell.edu (MFHorn) writes:
\...
\| A couple years ago, I had to fix this bug in one of our systems.  I had
\| source to mkdir.c, but not to the kernel, and was able to successfully
\| close the hole completely.

Really?

\| 
\|   mknod(dirname);       /* Irrelevant arguments omitted */
\|   link(".");
\|   link("..");
\|   chown(dirname);
\| 
\| The real problem is mkdir trusts dirname to be the directory it just
\| created, which is not necessarily the case.  Nicing the process only
\| shrinks the window of vunlerability, but it doesn't close it.
\...
\| The proper fix is to change 'chown(dirname);' to 'chown(".");' and
\| add a chdir(dirname); in the right place (with proper error checking).
\| 
\|   mknod(dirname);
\|   link(".");
\|   link("..");
\|   chdir(dirname);
\|   chown(".");

Consider the following scheme:

	mkdir Xmas
		mknod("Xmas", ...);
		link("Xmas", "Xmas/.");
		link("", "Xmas/..");
		# scheduled out
	rmdir Xmas
	mkdir Xmas
		mknod("Xmas", ...);
		# scheduled out
	cd Xmas
	ln /etc/passwd .
		# now the first mkdir is scheduled back in
		chdir("Xmas");
		chown(".", ...);
		# thanks for the passwdfile!
		# lots of error messages, but who cares!

If John F. Haugh's fix were applied, the scheme above wouldn't work:

		chown("./.", ...);
		# error: "." isn't a directory

... unless "." were a symbolic link to another directory.
However, I think it very improbable that symbolic links exist on systems
WITHOUT the mkdir() system call.
The scheme above makes one important thing clear: to gain complete security
one must reckon with pathological cases.
Two other cookies to be fixed on older systems: mv(1), rmdir(1).
The rename() system call wasn't invented for nothing.
To Dan Lanciani: could you clarify your ideas by giving a mkdir plot example?
-- 
if (fcntl(merry, X_MAS, &a))          |Maarten Litmaath @ VU Amsterdam:
        perror("happy new year!");    |maart@cs.vu.nl, mcvax!botter!maart